Bluesky Dev
Community discussion of the AT Protocol and Bluesky. (This room is not officially affiliated with the Bluesky team.)
Previous group of messages
  1. mikuhl
    twitters home page when not logged in still shows tweets
  2. code.
    people have already made projects to allow embedding messages on other sites, so it wouldn't surprise me if we get a 3rd party logged out client
  3. snarfed
    they definitely exist already, https://blue.amazingca.dev/ launched months ago
  4. among others
  5. HeckinDang joined the room
  6. HeckinDang
    While I'm waiting on an invite, I thought I's ask the dev community: Would the best course of action for the AT protocol in setting up a handle be to self-host (owned domain name), or jump in headfirst and rely on default?
  7. snarfed
    your DNS domain handle is separate from the Bluesky server you use, you don't need to serve anything on your handle domain
  8. also they haven't turned on federation yet, so self-hosting won't let you interact with the main service yet
  9. Kjartan
    Message deleted
  10. Kjartan
    Half offtopic but related: what client for matrix do you use on your phone?
  11. In reply to this message

    If its just in order to play with the protocol - I have started a playground (and left a few codes for it somewhere in the threads)
  12. In reply to this message

    I find the
    element.io
    client horrible on mobile
  13. HeckinDang
    Aye, looking forward to just playing with the protocol in general... while I wait I will lurk in the dev channel here and read up on things
  14. @neeg:nitro.chat
  15. Kjartan

    In reply to this message

    Thanks!! I will
  16. Actually I'm not convinced by the protocol anymore at all (but I think it solves what was to solve, so that's no complain). What I meant with the playground: If you want to play around with the protocol but just haven't got a way to try your code on some server - you can on my instance (it's just for dev purposes so, nothing exciting is happening there - but you can try your code there)
  17. lamrongol

    In reply to this message

    I am not familiar with web technology, but do you mean that we can distinguish whether it is fake or not if we look into it properly? However, if we can't distinguish just by looking at it on Bluesky, then I think a way to prevent is needed.
  18. snarfed

    In reply to this message

    on the Bluesky PDS itself, a user only gets a domain handle if it's bidirectionally verified, ie not fake
  19. we don't yet know exactly how that will work once federation is on
  20. caleb joined the room
  21. caleb
    👋
  22. mesajatmakicin joined the room
  23. mesajatmakicin
    Hello. Is the waiting list too crowded? I've been waiting for confirmation for a long time.
  24. Dominick Rangel
    read the rules please
  25. nakasyou (Shotaro Nakamura) joined the room
  26. nakasyou (Shotaro Nakamura)
    Hello!
  27. @dead10ck:dead10ck.com

    In reply to this message

    In reply to
    @neeg:nitro.chat
    Is there any protection from DNS hijacking in bsky/atproto?
    You can set up DNSSEC to have authentication transparently, and for even further protection against specifically targeted attacks on your PDS infrastructure, you can set it up to use DNS over TLS/HTTPS. But this would be a separate protocol layer from the PDS software itself
    (edited)
  28. In reply to this message

    I would not recommend encouraging anyone to attempt DNS spoofing, since it's probably a crime 😛
  29. In reply to this message

    If DNS were the only source of truth, this could be completely preventable 🙂
  30. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    Unfortunately DNS is somewhat inconvenient to implement on a massive scale
  31. mark
    If I wanted a stream of all posts containing some text, is my only option to get all the subscribe repo data, and filter for posts matching the text on the client side? Or is there some way to either filter subscribe repos on the server side (I'm just a cheapskate trying to limit my network usage if possible), or maybe poll an endpoint similar to /search/posts?
  32. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    rn there's no search endpoint yeah
  33. Dominick Rangel set a profile picture
  34. @dead10ck:dead10ck.com
    Yeah I think what bsky is doing right now with arbitrary implementation and DNS as a fallback makes sense at the MVP stage. But DNS only would be a good long term goal to prevent identity theft
  35. mark
    And subscribe repos is just one big firehose, you can't tune it?
  36. Dominick Rangel

    In reply to this message

    if you really wanted to test this you can set up a spoof towards a "trusted site" and sort of make it a challenge for the other person throughout the week in a somewhat blue and red team testing situation
  37. I don't know exactly how all of that works since I am still learning but I imagine that is how it would be set up to test those sorts of things 😵‍💫😵‍💫
  38. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    yep. for now i wouldn't mess with the firehose unless you're willing to get your hands a little dirty
  39. it's all in cbor, and is a websocket
  40. it's really different from every other endpoint so
  41. @dead10ck:dead10ck.com

    In reply to this message

    Yeah if you're going to do this sort of test, make sure it's on domains you own so you're not committing fraud
  42. Dominick Rangel

    In reply to this message

    Oh of course!
  43. @dead10ck:dead10ck.com
    Even then if you don't own the nameservers too, I'd be a little nervous, since it still involves tricking infrastructure you don't own, but ianal
    (edited)
  44. mikuhl
    I am using a javascript framework that is saying for some reason BlobRef isn't serializable, I am guessing that somewhere it uses a weird type?
  45. Yiko Song
    Can anyone tell me how to authenticate between xrpc services? A complete documentation would be great.
  46. @kookoy:matrix.org joined the room
  47. 9rw7stf869 joined the room
  48. Yiko Song
    can anyone tell me how to get an invite code?
    (edited)
  49. Dominick Rangel

    In reply to this message

    this part
  50. lx-is joined the room
  51. Kjartan

    In reply to this message

    I do not know, but to me it seems it's not anymore used
  52. mileszim joined the room
  53. mileszim
    Are the DB migrations for bsky and pds meant to be shared on a single schema/overlap? They're frustratingly close but the code does not seem to suggest they share any tables
  54. Also the use case for bsky is unclear atm--pds works with the apps, but the xrpc in the bsky service does not seem compatible. What is that meant for?
  55. finally just want to say this software is hella cool already and you all have done a wonderful job bringing it to life
  56. Kjartan
    I have no answers, but asked myself exact the same things already. I eventually just ignored bsky (and everything seems to work) 🤷‍♂️
  57. pheebs joined the room
  58. Kjartan

    In reply to this message

    Is it really though? Or is it maybe a chicken-egg kind of thing, and it's just inconvenient, because of poor tooling, which itself is just a result of it getting avoided all too often? Not trying to be snarky, but I have fully automated most of my dns needs (and convenience scripts for a few others). I also recognised a loot of tools have popped up since "let's encrypt"'s dns challenges exist (not a proof, but it kinda supports my claim)
  59. Kjartan
    Btw: you can simply use the client on https://schnitzel-mit-pommes.de directly (no need to change the server etc, it's preconfigured). Also all hard coded links to for example "what's hot" should be fixed and work (unlike the client on staging.bsky). But so far there isn't anything hot
  60. xnf0k
    I may be biased here as a Handshake fan, but DNS is perfect for domain ownership verification. It's possible to write dynamic DNS servers that create record on the fly do its not like you need to have a duplicate table of records with all users.
  61. Kjartan

    In reply to this message

    Additionally: let's not forget that the imo best federated service - email - uses dns as well (and I'm not aware of anyone having tried to challenge that for convenience).
  62. Kjartan
    In general I wished atproto would have copied more of email. Have a dns record which points all users of a domain to a pds, this would also remove the need for any
    plc.directory
    . And I actually don't see the point in having a did I can move to another pds (what I really care about is being able to move a handle from server to server, as I personally identify with the handle and not with the did).
    (edited)
  63. kcchu

    In reply to this message

    I think it is to allow changing the user handle (i.e. domain) without affecting the actual user identity (e.g. contents, follow graph)
  64. Kjartan

    In reply to this message

    Absolutely. That's the intention. What I question is how useful that is. Without a doubt: there are some who will use it (especially as it exists). But is that something people really missed so far? I only missed it in cases where I haven't been able to have my own handle in the first place (so I was forced to change my handle)
  65. But once you can have your own handle, I don't think there is a real demand/ need for changing your handle
  66. xnf0k
    Many don't own domains. Even if you see
    bsky.social
    , most use the default subdomain. And when a PDS service goes down, there's really no way to migrate without changing the handle
  67. kcchu
    I think one of the elegance in the current design is that every handle is a domain name, regardless whether it is a domain you own yourself or subdomain given by the PDS you first sign up. If the system will need to allow changing the handle (even if only once from subdomain to your own domain), it still need a separated user identifier so that other server in the network know that they are the same user.
  68. Kjartan

    In reply to this message

    I agree. But don't see it as such a big issue. More like a nice to have. But maybe that's just because I'm used to it from email (again). It's just not something which happens every week, if even at all (it never happened to me, that an email server disappeared suddenly, but I at least know cases, yeah)
  69. In reply to this message

    Yes and no. It has been working fine for email. And if the server still exists, you could simply also add some kind of redirect/forwarding
  70. kcchu
    I think it doesn't work fine for email. User changes email addresses from time to time (e.g. changing ISP, changing job). It is really a hassle to change email address and setup redirection, or lost some of your old contacts
    (edited)
  71. Kjartan
    It's not like I don't see some nice advantages. It's just that it probably solves an issue, which noone was concerned about so far with email (so maybe a solution to something no one cared much/enough about)
  72. In reply to this message

    Even before I had my own domains, it wasn't an issue for me. Just an email to everyone with the new address. Then some forwarding for a few months, to catch whoever you might have missed to inform. But it's probably personal experience which might not have been for everyone like this
  73. kcchu
    I think the question isn't no one care about the problem, but that you think the solution is too complex to justify the benefits?
  74. Kjartan
    I mean so far atproto hasn't solved the decentralisation (which the email approach would have solved already). Not speaking of missing implementation, but of a general idea how to solve it without the need of plc registries
  75. (there I'm unaware of them not bothering about having registries or them being unable to solve it without (but I wouldn't see a way how they could be avoided))
  76. kcchu
    could you elaborate which part of atproto isn't decentralized (i understand that plc did is just their server)
  77. Kjartan
    Let's imagine federation arrived. Your pds want's to interact with a did from a different pds. Your pds needs to figure out which pds acts for the target did - and has to look it up somewhere. This doesn't have to be plc.registry specifically, also doesn't have to be limited to just one. But still, it would be more than just a "nice to have" to be able to skip this
  78. If it was all focused on a handle (which like I said, will be imo anyway more important to most users) the already existing dns network would serve the function of the plc registries
  79. kcchu
    as I understand, the plc (which stands for Placeholder) DID is a stopgap solution before a real DID is available. So, even with federation, there should be only one PLC server that everyone use
  80. until they could replace PLC with a real decentralized DID
  81. Kjartan

    In reply to this message

    And the one server that everyone uses is exactly how it's central and not decentralised
  82. In reply to this message

    So it's something which still needs solving in a did-focused setting, but would be unnecessary if it was handle-focssed
  83. kcchu
    if the concern about centralization is the DID only, then yes, it is currently (very) centralized. I think their assumption is that there will be DID solution available soon (perhaps by other team), so they can free-ride on the effort of others
  84. Kjartan
    One could be snarky and say, it's currently the same as twitter - jsut with the data being stored by pds'. with the
    plc.directory
    being like what's today twitter. They could still "kill your identity" by simply deleting you on bsky and removing you from
    plc.directory
    . Then no other pds would be able to take you in either, because all other pds' wouldn't be able to find you either
    (edited)
  85. kcchu
    yes, you are right about the current situation. that's why they call it Placeholder DID with the intention that it will be replaced soon
  86. Kjartan

    In reply to this message

    Yeah. I know. And I might get all excited myself one day. But the status quo is not so different from what already exists (I don't like Mastodon, but right now Mastodon is actually ahead regarding a decentralised network - even though I really don't like to see it this way, as I'm not happy about Mastodon at all)
  87. And to somewhat close the circle to my statement in the beginning - this would be already and right now different if the focus was on the handle instead a did
  88. kcchu
    I personally take that AT Protocol is under development and incomplete, so I accept that there things that need time to sort out. But if you ask me whether it is getting too much publicity before it is ready, i think it is.
    (edited)
  89. Kjartan
    Absolutely. Fully agree. We are talking about a beta. Many of my concerns might be just temporary, and next time I might have a compeltely different view on it.
  90. Kjartan
    I think it was unwise to get the "common people" into it so early. This way they have to deal already with moderation or clients and such stuff, instead of focusing fully on the protocol itself. Would have been better imo to work just on the server - and have independent devs trying it out on their own instances. They could still collect what's missing (like blocking was) or what's buggy, while the Bsky team would be able to work on the protocol itself without any interruption or urgencies to act on specific bugs
    (edited)
  91. kcchu
    Absolutely agree on this
  92. Kjartan
    But now with WashingtonPost or politicians etc on
    bsky.social
    - they have no choice but to act on some bugs immediately, maybe spend hours even for just temporary workarounds, to prevent any damage or liability. But it's their decision to make, not mine :)
  93. @neilalexander:matrix.org

    In reply to this message

    IMO it's useful to have some "common people" because a) they will definitely discover things that power users will ignore, b) the usage patterns are very different and c) it prevents you from designing for a single class of users
  94. Kjartan
    Yes. But those things would be discovered likely on private instances - with the instance admins would have to deal with moderation etc
  95. @neilalexander:matrix.org

    In reply to this message

    Instance admins would find their hands are tied if the tooling doesn't exist, which is why the feedback loop is essential
  96. It is important for the devs to understand what it feels like to admin a server
  97. Kjartan

    In reply to this message

    Then just make "test weekends" (not encessarily weekends) and switch it off in between (like a lot of other services do as well in their early stages)
  98. @neilalexander:matrix.org
    But that doesn't really capture the usage patterns
  99. kcchu
    I think Kjartan's point wasn't that "common people" should not be invited to Bluesky, I do think that a variety of people should try the platform and their feedbacks are important. But it is a matter of scale. If there were too much attention from the public too early, Bluesky team will be overwhelmed by the issues and skew their priorities as we have seen.
    (edited)
  100. xnf0k

    In reply to this message

    The moderation app (redsky?) Is not open source yet afaik. There's not much "admin experience" right now. Which is fine, they're dealing with a lot of stuff and rapid dev, etc.
  101. @neilalexander:matrix.org

    In reply to this message

    The thing is, Bluesky is and always was destined to get outside attention because of the nature of how the project was founded in the first place. I agree that not onboarding too many users is absolutely the right thing to do, but I don't really agree that shifting the problem off onto other server admins to figure out how to moderate is right yet
  102. Kjartan

    In reply to this message

    Oh the commons absolutely should try it. Their feedback is somewhat even the most important (as they are targeted as users later). It's also about who has to care for/ is responsible for them. This shouldn't be Bsky imo. At least not 24/7.
  103. In reply to this message

    It's probably also a thing about what to expect as a user. I think no one would expect a perfect service of some small individual service. And even though it's officially only a beta, there are huge expectations in
    bsky.social
    (like I said, with newspapers and politicians etc on board)
  104. Hyolobrika (carrier pigeon bridge (sorry about the delay)) joined the room
  105. Kjartan
    If things go out of hand, the individual server can be just shut down until a solution is found (if the problem can't be solved otherwise). I think A LOT would have to happen in order to bsky considering to flip the switch for
    bsky.social
  106. Before this would happen, the whole team would focus on an issue even if it's of a nature which might be known to be of no importance in the future (for example an issue which might be obsolete within days or weeks anyway because soemthing gets replaced or whatever)
  107. It kinda removed the freedom of saying "we're aware, but we don't want to deal with it right now"
  108. If 50 private instances decide to go temporary offline, it wouldn't matter. If the instance which has been mentioned in media goes offline, it's a different thing
  109. kcchu
    I get the points. I just hope that the people and mainstream media could calm down a bit and give bsky team more time and freedom to prioritize things. I think they have been doing very good so far. But I can only hope and as a reminder, maybe we are getting slightly off topic 😀
    (edited)
  110. Dominick Rangel
    I would move this chat to a different room
  111. Kjartan
    You're both right
  112. @neilalexander:matrix.org
    (on the plus side, at least it's not invite spam for once)
  113. Kjartan
    Is there any other value needed? I have a value set, but don't see any codes created
  114. xnf0k

    In reply to this message

    no just that. What value is it set to and how old is that user account?
  115. Kjartan
    I have tried values from 60 to what would be one day in milliseconds. It's maybe about a week old.
  116. Maybe `createAvailable` is not sent?
  117. xnf0k
    Maybe the client you're using isn't sending true for that
  118. Kjartan
    I was just wondering the same
  119. Default is false?
  120. The staging.bsky… doesn't seem to send it
  121. nope, it doesn't. then that's it, probably
  122. Thanks!
  123. xnf0k

    In reply to this message

    Weird then how are people seeing new codes
  124. Kjartan

    In reply to this message

    Hm… Maybe on a different client. Like maybe it's just on the phone apps. Or it's by default true and not necessary… I'll do some debugging later :)
  125. ryota joined the room
  126. Kjartan
    Haven't checked it yet (as in: tried things again) but the default is actually true. So while the client doesn't send it, it shouldn't be the reason why no codes were created (but yeah, I'll try again)
  127. valka joined the room
  128. LG
    Hello! I am developing a small bot for fun on bluesky. It primarily uses @atproto/api I am wondering if there is a way to filter the author feed by datetime, similar to the twitter until and since search parameters?
  129. joshlacal
    I would also like to know ^
  130. morgenruff joined the room
  131. Mark Foster SSI: @mfoster.io

    In reply to this message

    Have you looked into some of the new Vercel edge file storage features and https://uploadthing.com/ yet? If I remember correctly some similar topics around this issue came up there… might find some solutions there.
  132. mikuhl

    In reply to this message

    I'm not uploading anything, just trying to display the timeline. The framework serializes objects but for some reason specifically BlobRef fails.
  133. possibly due to it being a class not an interface?
  134. wolix
    Hey guys iam have question for bluesky be available on Android
  135. mikuhl

    In reply to this message

    it is
  136. wolix
  137. Iam see very much late to see app
  138. Iam not invited on bluesky sadly
  139. Mark Foster SSI: @mfoster.io

    In reply to this message

    Are you working in the browser? You can utilize the service worker and WASM as well to compute with blobs in the client so maybe dig in some of those topics. WorkerBox is a package that focuses on Workers and https://github.com/GoogleChromeLabs/squoosh might have some good packages to look at.
  140. Mark Foster changed their display name to Mark Foster SSI: @mfoster.io
  141. wolix
    Actually iam don't get invite code for bluesky
  142. Be able to use app probably
  143. @neilalexander:matrix.org
    Well it finally happened, I finally managed to get my Swift library to log in and post successfully to Bluesky
  144. Kjartan

    In reply to this message

    Congrats!
  145. Mark Foster SSI: @mfoster.io

    In reply to this message

    Congratulations 🍾🎉
  146. wolix

    In reply to this message

    Congrats
  147. Kjartan
    I know how it feels - I was today finally able to read skeets on Safari 14🥳
    (edited)
  148. wolix
    Iam on fluffychat app element have problems to crash me any time open room or space
  149. @planetoryd:matrix.org

    In reply to this message

    yes, their apps suck. matrix is a terrible protocol
    (edited)
  150. Kjartan

    In reply to this message

    Don't know. Is it really the protocols fault (not asking rhetoric, I wouldn't know). But in many (other) cases it's often just the clients' fault
  151. foxlet
    Yeah, that just sounds like an Element problem (they're rewriting the mobile apps).
  152. raymondz (@raymondz:matrix.org) joined the room
  153. @dead10ck:dead10ck.com

    In reply to this message

    A client crashing is almost always the client's fault
  154. In reply to this message

    They have their problems, but I'm optimistic about the new client code they've been working on.

    You should also try to keep in mind that people that actually work on Matrix frequent this room, so it would be more polite to keep criticisms productive

  155. jroberts joined the room
  156. edwardcallow joined the room
  157. Kandy (They/She, DMs Open)
    hi, can't wait to see folks use the sandbox stuff
  158. seeing how others use federation is gonna be really interesting!
  159. Compy@compy:hazenet.org

    In reply to this message

    For sure! I'm ready and waiting. I know when I started running my federated matrix server, the bandwidth rush was insane.
  160. caleb

    In reply to this message

    is there a testflight link for element ios x?
  161. caleb
    lol cinny as an iphone pwa kinda works now that iOS has web push
  162. @meowmeowmilktea:matrix.org left the room
  163. Mark Foster SSI: @mfoster.io
    Message deleted
  164. Message deleted
  165. Mark Foster SSI: @mfoster.io

    In reply to this message

    What ATProto package are you using from here to read the CAR?
    https://github.com/bluesky-social/atproto/tree/main/packages
    Here is an IPLD version of it:
https://github.com/ipld/js-car
  166. engineersam ⚡️ joined the room
  167. michaelcw joined the room
  168. Ed Goode
    Does anyone have a bluesky invite? 😄 I am not so deep in the social graph that I've been able to get one, but I have been following and working in the DID world for a while. Would love to try out one of the first viral apps
  169. Anonymous
    We've been trying to get an invite for days, no luck. They're hard to come by.
  170. engineersam ⚡️
    I do wish the sign up page sent an acknowledgement email after submission.
  171. @darkflame72:matrix.darkflame.dev joined the room
  172. caleb
    tyty
  173. boo no sliding sync on
    envs.net
  174. hmm...
  175. Typo Kign joined the room
  176. @ytoooo:matrix.org joined the room
  177. caleb
    made a new account on
    matrix.org
  178. element x ios is snappy if incomplete :p
  179. zooooooo joined the room
  180. syui
  181. engineersam ⚡️
    Out of curiosity, has anyone done a comparison between the AT Protocol and the Inrupt Solid work?
  182. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    i'd actually love to see one of those too
  183. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    even the terminology is similar, Personal Data Store and Personal Online Data Store..
  184. zooooooo
  185. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    when I first read about how the at protocol would work my mind immediately jumped to solid
  186. engineersam ⚡️

    In reply to this message

    Yes. It feels rather close, and there are already Solid tools for manipulating the Solid PODS. If a Solid PODS could be exposed as an AT Protocol PDS, then we could take advantage of the Solid work.
  187. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    for sure
  188. solid's work still feels very incomplete though
  189. lamrongol
    I've started a trend analysis system( https://staging.bsky.app/profile/trend-words-en.bsky.social ). However, there is a problem on Bluesky search. Today "King Charles" is trending. This is obviously in response to the coronation of King Charles of UK. However, when searching for "Charles", We get a bunch of completely unrelated posts from days ago (and they don't even have many Reposts or Likes). I don't know Bluesky search algorithm, but wouldn't it be better to put them in chronological order from the newest to the oldest, instead of making some poor attempts?
  190. carlos joined the room
  191. @roooy:matrix.org joined the room
  192. qpalzmwoskxneidjcb joined the room
  193. @planetoryd:matrix.org

    In reply to this message

    Especially the protocol. Their protocol uses full-mesh routing. The solution is either ipfs-pubsub or https://github.com/freenet/locutus/
  194. And is their proposal for DID going to be in the RFC hell for years ?
    (edited)
  195. kcchu

    In reply to this message

    I wrote a comparison between ATP and Farcaster (another decentralized social protocol). I understood the architecture of SOLID, but it seems to me the social application on SOLID isn’t solid - they are more like PoC. SOLID is geared more towards personal cloud applications (think Google Suite) than social network imo
  196. @roooy:matrix.org
    Message deleted by Administrator
  197. @planetoryd:matrix.org
  198. Justin Walker joined the room
  199. Justin Walker
    came here because Elon banned me after I called him a dickhead :-)
  200. damon/
    Please do not ask for codes
  201. This is a developer chat
  202. Justin Walker
    not looking for codes, I can wait
  203. interested in dev
  204. damon/
    Okay, thank you for understanding
  205. Welcome!
  206. Justin Walker
  207. where is the source base? is it open?
  208. Haixuan Tao joined the room
  209. engineersam ⚡️
    I will be interested to see how the community labelling develops -- I hope it will have the potentially to support a numerical rating for labels, instead of a just a boolean "this is marked with a label, and that is not."
  210. Kandy (They/She) joined the room
  211. Kandy (They/She)
    Hey, been getting a lot of articles about bluesky lately. Glad things have been moving the way it has!
  212. Also, the fact that they made a chatroom for this is cool omg
  213. Roj

    Which one is the preferred?

    • atproto (repo name)
    • ATProto (idk if this is written)
    • ATProtocol (logo)
    • AT Protocol (in docs)
  214. Kandy (They/She)

    In reply to this message

    Preferred as in what looks/sounds better?
  215. Roj
    No, as in what the corp writes.
  216. Kandy (They/She)
    AtProto is a nice Nickname
  217. In reply to this message

    I think they just switch back and forth with it. Almost like bluesky's branding/logo
  218. Roj

    In reply to this message

    They (or at least we) need to agree on something.
  219. Kandy (They/She)
    (the branding/logo is a bit more intentional since the loosen is supposed to be their way of symbolizing the decentralization, I think???)
  220. In reply to this message

    I just default to AtProto or ATP
  221. I don't think it's a big deal or anything tho
  222. Roj

    In reply to this message

    Not to you maybe
  223. @flooore:matrix.org joined the room
  224. Bryant joined the room
  225. Seth Glickman joined the room
  226. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    tbh ipfs pubsub is pretty imperfect as well
  227. @planetoryd:matrix.org
  228. Kjartan
    I had somewhat different expectations regarding bluesky, compared to how things start to appear now. I'm just curious: are there others as well, who got maybe more excited than they are now? Or in other words: Was it just me who got it wrong in the first place? This is no criticism (it's a nice protocol), I just hoped for something even better 😅
  229. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    yeah, happens a lot
  230. i think expectations may have ended up a little too high
  231. @dead10ck:dead10ck.com

    In reply to this message

    Seems like a somewhat ridiculous question, given it's not even public yet, tbh
  232. Kjartan

    In reply to this message

    Why? Just because it's not finished yet, doesn't mean that impressions can't have changed already. I would even argue, that it's more likely that opinions and first impressions will change more (and more frequently) while the development is still in progress
  233. @dead10ck:dead10ck.com

    In reply to this message

    If a new shopping mall were being built, and they got one section of it constructed, and you got an early look inside this half finished mall, while the rest of it was still just exposed steel framing, would you say "man, this is not what I was expecting"?
  234. Kjartan
    I would yeah. And when the next section gets added, I would reconsider, and after the next section again. And I see nothing wrong about it. Let's imagine the opposite: I first think it's great, but the shops which matter to me aren't there at the moment (might come later, but no one knows for sure) - then it would be strange to say "OMG this new mall is my absolute favourite - but I never buy there anything and get all my things at OtherMall". Lets even assume my stores will definitely move to that mall in the future, then I still wouldnt do my shopping there right now (because I can't buy my stuff there yet). And I think it would be also justified to be somewhat less enthusiastic at that moment. It's not the mall's fault - still the expectations aren't met (while my expectations might have been too high to begin with - which somewhat was part of my question). To bring it back on topic: I was expecting mail like decentralization (which isn't even anymore discussed as far as I see it - best future scenario seems to be, to pick from several plc registries). I recognised some big concerns regarding GDPR, which I wasn't aware of in the beginning (which right now seem to me basically unsolvable). I liked the idea of a portable identity, but realised that this is something I never really wanted/needed, so while this isn't a disadvantage, I lost my original excitement about it. Next month I might have a completely new view on things. But right now, my excitement isn't the same like it was for example a month ago 🤷‍♂️
    (edited)
  235. Kjartan left the room
  236. Aaron Goldman

    In reply to this message

    What are your GDPR comserns
  237. A PDS should be able to remove repos at the controller's request
  238. rettetdemdativ joined the room
  239. goykasi joined the room
  240. Kjartan joined the room
  241. @flooore:matrix.org
    Message deleted by Administrator
  242. Kandy (They/She, DMs Open)
    oh no, scammers learned about matrix lmao
  243. zooooooo
    @mods ? idk how moderation on matrix effectively works 🙈
  244. Mark Foster SSI: @mfoster.io
    This is why we need article intent in meta tags for cross posting
  245. kcchu

    In reply to this message

    If you prefer email like architecture, Mastodon (and Fediverse) already did that. You don’t need AT Protocol. But I wrote an article on why Mastodon’s federation model is undesirable and why the DID part of AT Protocol is an essential improvement to the shortcoming of Mastodon. https://paragraph.xyz/@kc/content-moderation-of-social-internet
  246. Kjartan

    In reply to this message

    The amount of data shared is "crazy". And offers possibilities in a way we haven't seen before. A lot of those have been so far only available for the service(=Twitter, Facebook,...); but they are problematic, that's why the GDPR limits those possibilities. They aren't allowed to use the data for whatever purpose they want, they aren't even allowed to collect some of the data. Like they aren't allowed to use a mobile number which was given for 2fa, they can't just use to inform you about a new product. And some data may not be collected at all, if there is no good reason to collect it.

    I'm not a lawyer so I'm only speaking from my amateur point of view: the first issue already is: whoever wants to do "evil" doesn't even need to store data anymore (so all parts of GDPR regarding storage is circumvented), they can simply access them on demand. The access is easier than ever before - you can download literally just everything of a user by requesting their whole repo. With dids this isn't even anymore limited to a "username" it'll be often the whole history of a person, following even dozens of username changes (also nice: you can already check which other handles someone used - a lot of this information will give deeper information into external user databases, like "oh, we have also two such users, which we thought were two different individuals - look at those, they really made a new account because... some reason"). The user gave this information to this social media, without understanding what they do possible to totally different areas of their life.

    The bigger issue though is - I have doubts, that any "evil entity" even does anything illegal. The data is offered publicly. It's most likely offered for federation, but can the data abuser know that it wasn't offered for whatever purposes - can anyone proof them any knowingly wrong doing? They never even had to pretend to use it for anything else than "evil". If someone goes to town center and yells their secrets for everyone to hear, it is okay for everyone who can hear it to know it. There was no illegal action in obtaining the information. But if the information is accessible on demand and doesn't need to be stored, they don't have to fear being caught anyway. Amazon could access your repo and adjust their advertising based on your repo data. On demand, on the fly. Without the need for cookies, without having anything about you stored, and without you knowing. Yes, they need to know your did - hopefully you have a custom handle and it's a match (

    for
    user@example.com
    customer email) or maybe its just a matter of time until there will be a "login via did" or "get shipping updates direct as a (then existing) atproto-DM). I guess it would be legal, but even if not, who will catch them doing, their HDDs are clean. You need a mortgage - well the bank is definitely allowed to base their decision on "public knowledge". Insurances, etc - everyone could use it far better than "old social media" ever allowed. You can't even request that access cant happen before the accessor acknowledges that your data is not to be used for any such evil purposes, because then things wouldnt work anymore. Yes, you can request your data to be deleted, but this means that your data is gone. This was one of the parts which were intended to be avoided in the first place. It's like deleting your Google account - kinda what you would like, but also something you simply won't do, because a lot of the data you really still want to access and use. While deleting is problematic too - you have no control over who has got already your repo stored somewhere away (probably then against GDPR - but it's impossible to follow where it landed). Right now on HN you can download a backup of 1.6M skeets.

    And it's still early, with the first tools appearing. I guess it's by far not even the top of the iceberg, leave alone the massive threat lurking in the dark waters. Crazier tools will appear, with possibilities I likely even haven't though of yet. Labels might make it a lot easier/faster/more efficient to access already somewhat preprocessed data. Yes it's all beta and some things hopefully will get more restricted, but I think we also don't know yet the possibilities.

    But to me it looks (right now) like the wet dream of any data collector/ processor (regarding laws, but also the collection, storing gets so much cheaper as it'll done by others), and a nightmare/ruin for pds servers (if GDPR makes the pds service liable) or a complete sellout of your private data in a way one hasn't even imagined. I personally don't mind any of the content I post to be known by anyone (or I wouldnt post it in the first place) but most average users aren't aware of what they are doing. And even I slowly start to feel uncomfortable (like the handle history is something I haven't thought of).

    My interest in bluesky/atproto is not only for private use but business purposes, too. For the later it seems right now too "dangerous" to me (although likely highly lucrative).

    GDPR is quite strict what you may do. Things which seem maybe pretty harmless can get heavy fines. One can argue who exactly would get burned (the data abusers are possibly safe here, but again, ianal), but someone will get burned, I would guess (probably the pds instances as they were the once who shared the data, without their users being fully aware of how the data could be used). And even if not - then the loss in trust by the users, which would happen eventually, might cost as much.

    Like in the former message: this is my view right now. Things still change, as the information about atproto/bsky changes. Next month it might be completely different.

  247. In reply to this message

    I really like a lot about mastodon. I just disagreed with some of their design decision too much. Sadly, because the majority of it I liked. Interestingly: the disagreeing in mastodon was for 95% about things, I wished they had copied of emails :D
  248. adamwilson joined the room
  249. bullworm joined the room
  250. @dead10ck:dead10ck.com left the room
  251. Joshua Hastings joined the room
  252. @yakimapride:matrix.org joined the room
  253. @yakimapride:matrix.org left the room
  254. pedropaulovc joined the room
  255. goykasi
    Is it intended that all signing and rotation keys are the same for a particular PDS? I was expecting each DID/user to have unique keypairs. At this point, it makes sense that they are the same, but is there a time in the future where they would be unique?
    (edited)
  256. If it is meant to stay that way, how would a user be able to move to a different PDS since they dont have control of the keys?
  257. blckwd joined the room
  258. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    Eventually I think you'll have access to your recovery key for that purpose
  259. @confidant1118:matrix.org joined the room
  260. @confidant1118:matrix.org
    Hey, can the AT Protocol be self-hosted kind of like Mastodon?
  261. goykasi
    Itd be nice to have access to the signing key too. That would allow potentially doing public e2e encrypted messaging
  262. In reply to this message

    Some of it is functional, but if you dont have an invite code, it doesnt look possible to federate and broadcast to
    bsky.social
    users
  263. @confidant1118:matrix.org

    In reply to this message

    Well I guess, I will have to wait till someone in my circles gets an invite.
  264. Danny Garden (they/them) joined the room
  265. @alexdeltax:genix.chat

    In reply to this message

    In the context of backups, GDPR seems like doesn’t regulate this part. For example we have weekly backups of fb for decade. We can store this data on LTO data-cartridges or any other cheap storage systems. As a rule, they are isolated. In this case, any company still have access to your data even if in current state it was removed.
  266. konsti_ joined the room
  267. goykasi
    Question to users that have been able to signup on bluesky. Do they allow you register via a self-hosted PDS? Or do you have to use
    bsky.social
    ?
  268. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    you can totally sign up on any pds. they just don't federate yet.
  269. goykasi

    In reply to this message

    Right. I have been playing around with that over the weekend https://plc.directory/did:plc:qrfk2dvrkl4nqqmzpr4zq4mz/log
    But I guess I wont be able to push any data until they launch the federation sandbox
  270. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    yep. they will probably open it up soon though 🙂
  271. @atika12939:matrix.org left the room
  272. goodmachine joined the room
  273. Jason Blum joined the room
  274. @nic:matrix.nicfab.it joined the room
  275. @nic:matrix.nicfab.it
    Hi everyone! I stumbled upon your project and am interested in following the development. I am not a developer but a lawyer dealing with data protection, privacy, and cybersecurity.
    (edited)
  276. sylphrenetic

    In reply to this message

    I really appreciate you bringing this up, because I had this concern a while back and completely forgot about it. it certainly does seem like if indexers' and PDSs' data are fully public that companies could profit off the the public data without ever having to worry about GDPR concerns, while users are left out to dry.

    it's also a good question about whether PDSs themselves would be liable for being "irresponsible" with people's data by just letting it be public (even by design, even with people's permission). I think the law just hasn't caught up yet to this kind of tech and really needs to.

  277. Khushraj Rathod joined the room
  278. souramoo joined the room
  279. @flooore:matrix.org
    Message deleted by Administrator
  280. 10.0.90 joined the room
  281. suzuwu joined the room
  282. Vitaly Goncharenko joined the room
  283. Jafet Benítez joined the room
  284. konsti_

    In reply to this message

    I’m not sure I’m thinking the same way about this. I look at having a repository with posts in it like having a public blog on the internet. Don’t the same rules apply there as well? I guess it’s right that it might be unintuitive or seem more open than Twitter or a tradition social network but since posts are generally intended for a public audience anyway the jump isn’t that big, no?
  285. Justin Appler joined the room
  286. Kjartan

    In reply to this message

    Not sure about that. With a blog, it's basically really just the content. And access/processing blog content can be somewhat monitored (and limited if needed). That's what my concern is: it comes with integrated bulk access (you wouldn't be able to get a complete blog with just one request) and if you ever changed the domain of a blog, it likely wouldn't include all earlier names/addresses (and there is likely more, we haven't thought of/ seen yet). Even if WE are aware of it - the average user likely isn't aware of, and might not have agreed to it
  287. Justin Appler
    Is there any notion of record privacy or record namespacing in the protocol? That is, are all records public to everyone and are all records part of the same global graph?
  288. Aaron Goldman
    I think of publishing a repo like publishing a magazine. Once Time published an issue and it's on news stands it's hard for them to guarantee that all copies are destroyed. Some individuals and libraries keep old issues of magazines. Some researchers use old magazines for unintended uses like tracking how word use changes over time. Even well documenting word use is not the primary reason the articles are included.
  289. They can print retractions but can't really un-publish a edition
  290. Justin Appler
    Gotcha, so the Bsky lexicon as it stands today only supports a single, global, public graph of posts and other records? AFAICT from the existing docs, no affordance for private messaging either?
  291. goykasi
    I think that is mostly correct, but there is nothing stopping other teams to extending the lexicon to include more privacy oriented features
  292. I would personally like to see more control given to users over signing keys. Currently, each PDS has a single keypair for signing and verification (from what I can tell). This makes it difficult for users to truly move around. I am hoping this will change in the future. If we had keypairs generated per user, we could very easily have encrypted messaging on the network.
    (edited)
  293. But I understand why that wasn't done atm. Keeping keypairs secure is not necessarily an easy thing to do. And most people probably wouldnt want that responsibility. But as the blockchain people like to say... "not your keys, not your .... posts"
  294. Aaron Goldman
    Not your key not your repo
  295. Skyler Hawthorne joined the room
  296. @rbtgeorgi:matrix.org joined the room
  297. @00c:matrix.org removed their profile picture
  298. @00c:matrix.org removed their display name (00c)
  299. @00c:matrix.org left the room
  300. Mike Freeman joined the room
  301. mikuhl
    Can you guys PLEASE put "type": "module" in your package.json
  302. Kjartan
    YOu want me to put my what in my what? 👀
  303. mikuhl
    You are using es exports, but your packages have commonjs type.
  304. Makes it really annoying to use.
  305. Kjartan
    commonjs like javascript?
  306. mikuhl
  307. all the atproto packages default to commonjs, despite using ecmascript exports
  308. you have to do this ugly thing because of it

    12import bsky from "@atproto/api";
    const { BskyAgent } = bsky;
    
  309. Kjartan
    To be fair JS is always ugly. Sorry. I'll shut up 🤣
  310. justthisguyatx
    Hey, snarfed Is arroba the successor to lexrpc, or is lexrpc going to continue to develop?
  311. snarfed
    justthisguyatx: they do different things! lexrpc is XRPC + Lexicon, arroba is a PDS repo
  312. justthisguyatx

    In reply to this message

    Thanks. I suppose I could have actually looked closer rather than skim, rather than taking this lazy route. I appreciate the response.
  313. amparise joined the room
  314. chinchilla optional joined the room
  315. @alexdeltax:genix.chat left the room
  316. Chris Lace
    Keep up the good work guys
    The app. is steady improving 👍
  317. panji.bsky.social
    👍
  318. Chris Lace
    Will (BlueSky) be doing verification checkmarks? 🤔
  319. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    oh that could work as an account labeling thing
  320. Chris Lace

    In reply to this message

    I would love it. It’ll make accounts official from others and keep down these bots or trolls. Stop impersonating
    (edited)
  321. ryangallagher
    Oh so many jokes. Must bite tongue. 😏
  322. justthisguyatx
    Chris Lace: Do you mean adding some indicator on accounts that have validated handles against a domain, as opposed to accounts just using the native handle? Or do you mean some additional verification?
  323. Chris Lace

    In reply to this message

    Just checkmark verification whatever you guys create, because there’s gonna be more Brands, Entertainers, Athletes, and Businesses a-boarding the app.
    (edited)
  324. Aaron Goldman

    In reply to this message

    It may be better to frame the question as How will bluesky support verifiable credentials?

    Verification of control of a domain name is different than an email address is different than verified employee of an organization is different than verified age.

  325. Chris Lace

    In reply to this message

    Wow 😮 sorry
  326. Aaron Goldman
    I hope a lot of this can be done by verified domain names.
  327. Chris Lace
    My Apologies
  328. Aaron Goldman
    Some domains have a lot of trust
    whitehouse.gov
    npr.org
    xkcd.com
  329. Chris Lace
    I don’t have my own domain name but I have I.D. Google Knowledge Panel, or a Wiki article 🤔
    (edited)
  330. justthisguyatx
    Chris Lace: At the moment, if you own a domain, you can verify your handle/I'd against that domain via DNS. For example, when I joined, I was assigned
    justthisguy.bsky.social
    . Since I own
    justthisguy.net
    , I was able to add a record in that domain's DNS, and make
    justthisguy.net
    my Bluesky handle. It verifies that I at least control that domain, which adds some credibility to the account. That's currently the (very rough) equivalent to a blue check.
  331. Aaron Goldman
    Wikipedia is tricky. For a Google knowledge panel I don't see a reason they couldn't have a DID uri in the panel
  332. Chris Lace

    In reply to this message

    Yes I definitely want add value to my account
  333. justthisguyatx
    Larger trusted domains, as Aaron Goldman mentioned, could be considered pretty well validated.
  334. Aaron Goldman
    It's a good argument for letting users bind multiple urls to their DID
  335. justthisguyatx
    @chrislace I'm currently using my domain only for this purpose, with no website or other exposed asset, so I don't bring any real validation other than the fact I own that domain. Not sure it adds that much value, aside from that ownership connection.
  336. Chris Lace
    So I can just go to the platform and create one? Because I don’t have a domain name now
    (edited)
  337. Aaron Goldman
    The trick with most validations is Who should witness which facts? It is easy to send a email verification code to an address if you wanted to run an email verification service. Harder is using DKIM signed email as the credential
  338. justthisguyatx

    In reply to this message

    If you bought a domain now, you could easily link it to your Bluesky identity.
  339. Chris Lace
    Well I will be in tuned until everything is worked out. Thank You! 👍
  340. Aaron Goldman
  341. justthisguyatx

    In reply to this message

    I need to go back and check, but I believe this is part of the W3C DID standard. And yes, absolutely. Multiple points of verification is a good thing.
  342. Ah. Nevermind. You're way ahead of me. :D
  343. Aaron Goldman
    ,"alsoKnownAs":["at://
    bsky.social
    "] is a list the DID certainly allows it
  344. justthisguyatx

    @chrislace Broader extra credit much reading:

    https://www.w3.org/TR/did-core/

  345. justthisguyatx
    I think alsoKnownAs is one the most interesting aspects of the DID, going forward.
  346. gatya45 joined the room
  347. @aqua:aquatica.space left the room
  348. Matthew
    (can i get an invite code topup at some point please? O:-)
  349. Chris Lace
    Goodmorning everyone
  350. Chris Lace
    Is @whyrusleeping still available? 🤔
  351. tiago joined the room
  352. whyrusleeping
    Sup?
  353. whyrusleeping
    Matthew: i got you :)
  354. damon/
    whyrusleeping: me too please if possible
  355. snarfed

    In reply to this message

    the broad answer to this is https://blueskyweb.xyz/blog/4-13-2023-moderation . they plan to let third parties moderate and verify all sorts of different things about accounts, and users can choose to use any of those they want
  356. Matthew

    In reply to this message

    thankoo
  357. (is it just me or are all the “bluesky needs to ban X now” people missing the nature of decentralisation and bsky’s moderation plans?)
  358. damon/
    Yes and no. Some of them are well aware but have convinced themselves that BlueSky is a Twitter alternative
  359. goykasi
    whyrusleeping: do you know if there is ETA for when federation lexicons will be published? i saw some mentioned while poking around the repos, but i didnt see them in the docs
  360. damon/
    Thus they have said the team needs to forget federation
  361. valka
    most people don't get it because they're normal social media users so some don't understand what decentralization means in the first place, much less how bluesky can - and will - be something different than they've never experienced before, and a lot of them who vaguely understand seem to think it's going to be like mastodon
  362. so user education is clearly needed using more analogies like in the first faq post, or something
  363. seeing the opinion of "why would we want federation at all" and even "why would we want open source with a permissable license" broke my brain a little bit (in a "I've never encountered this this before" kind of way)
  364. anyway I think all of it just highlights why ux is so important
  365. Seth Glickman
    is there a preferred place to report web app JS errors?
  366. TabAtkins
    "Decentralization" doesn't somehow remove the need for banning. Each server still needs to ban bad actors as appropriate. And
    bsky.social
    is (a) currently the only server, and (b) intending to remain as a primary starting server, so keeping itself safe and trustworthy is important.
  367. Decentralization just means that servers get to make their own decisions about banning and can disagree on what bannable offenses are. We're deciding what that is for this server right now. There's literally zero contradiction.
  368. suzuwu

    In reply to this message

    🥺
  369. Chris Lace
    Yes I would like to have some invites
  370. unclegordy joined the room
  371. Seth Glickman
    Message deleted
  372. suzuwu
    We all I guess 😁
  373. Sasha Savchuk joined the room
  374. Cameron Pfiffer joined the room
  375. foxlet

    In reply to this message

    To be fair all that means very little when there's no real federation going on yet.
  376. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    +1
  377. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    pfrazee's medium article about moderation in decentralized social networks is always what I think about whenever I see a post asking about bluesky moderation.
  378. Matthew
    the second half of https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors is pretty aligned, from the matrix perspective
  379. (not that we have made fast progress on hooking it up)
  380. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    wait: are you THE matthew? creator of Matrix?
  381. Matthew
    yes, i started matrix (although not sure that’s very special given the name of the game around here is new decentralisation projects :)
  382. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    🙂
  383. makoto_aijima52 joined the room
  384. engineersam ⚡️
    I will admit to some curiosity as to how the Bluesky identity/verification scheme will age. Tying it to domain names is an interesting idea, but... suppose someone uses @
    i.am.bob.com
    . Can that ever be re-used by someone else? If Bob dies after fifty years and some other Bob gets the domain, then what? Is Bob 2 stuck with being associated with everything the first Bob did? Etc.
  385. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    nope!
  386. they just update the dns record
  387. engineersam ⚡️
    So does that mean Bob 2 could then pretend to be Bob 1 and have access/auth to everything Bob 1 did?
  388. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    no, because the domain verification is separated from the actual account.
  389. goykasi
    Bob2 would need Bob1's credentials to auth on Bob1's PDS
  390. and/or recovery key to move (i believe)
    (edited)
  391. engineersam ⚡️
    Okay. Hmm.
  392. moved to @shreyan:beeper.com@shreyanjain:matrix.org
  393. Chris Lace
    I would like to get an invite code if possible ..Thanks!
  394. Brenden Riggs joined the room
  395. @aaap:matrix.org left the room
  396. Aaron Goldman

    In reply to this message

    It is worth noting the distinction between a handle and a DID.
    Let's take the example of @

    control of this domain changes about every 4-8 years.

    When I search for @

    I will get the DID that is named in the DNS record

    1_atproto.whitehouse.gov. IN TXT "did=did:plc:fivojrvylkim4nuo3pfqcf3k" 
    

    but when I click follow the DID uri is the string that is added to my follow list.
    When I @mention the handle string will appear in the text of the post but the DID uri will appear in the metadata on the post.
    Even once the domain moves to the next president the link in your post will still go to the controller of the DID not the controller of the DNS name. Someone that looks at your follows will see you as following the DID not the DNS name.

    The handle is basically a fancy search that you used to find a DID at a moment in time. Also when you localy do a search after the transfer you should get a result that looks like a disambiguation page with the @

    from your follow list and the current one from DNS telling you that the old one has renamed.

    This is analogues to what happens to the https://twitter.com/potus twitter handle when there is a new potus the old handle is renamed to https://twitter.com/potus45 and a new account with a new UserID is renamed to https://twitter.com/potus all the old follows and mentions stay linked to @potus45 => 822215679726100480 and the new mentions point to @potus => 1349149096909668363 if you follow https://twitter.com/potus today you will find you are folowwing @potus46 => 1349149096909668363 at some point in the future.

  397. Brenden Riggs
    I don't have an invite yet, but I think the AT protocol looks promising. Already the GitHub ecosystem is looking very healthy. Looking forward to when my name gets called on the wait-list so I can take a swing at some of the outstanding issues on some of the existing python repos.
  398. This was a great explainer! Thanks for taking the time to write this up!
  399. suzuwu changed their profile picture
  400. MightySpaceman changed their display name to MightySpaceman (OLD -> m_spaceman:matrix.org
  401. MightySpaceman (OLD -> m_spaceman:matrix.org changed their display name to MightySpaceman (OLD -> m_spaceman:matrix.org)
  402. Brenden Riggs set a profile picture
  403. Kjartan

    In reply to this message

    In reply to
    moved to @shreyan:beeper.com (@shreyanjain:matrix.org)
    the reason they are limiting invites right now is because it is a beta. things are not ready for the general public yet. they need a smaller subset of people to test and give feedback before releasing it to the general public
    And yet they reward those who invite people "who bring growth" with a shit load of codes (talking of many HUNDREDS of codes). It's very contradicting to be honest. And of course it gives those who remain on the waiting list a feeling of being ignored. I think every single one of the early subscribers would fit better into a beta(!) than accounts like weRateDogs, who just login once to safe their handles, but don't serve any purpose to the actual testing or developing 3rd party tools
    (edited)
  404. malcolmm joined the room
  405. Miguel Malcolm changed their display name to malcolmm
  406. malcolmm set a profile picture
  407. Jay Pinho joined the room
  408. hellstabber changed their display name to hellstabber (Old)
  409. Jy D joined the room
  410. Lizz joined the room
  411. @toranosora:matrix.org left the room
  412. couragic joined the room
  413. zeitgeist21 joined the room
  414. zeitgeist21
    Anybody have an invite?
  415. panji.bsky.social
    Nope
  416. luffy joined the room
  417. duckless_quack joined the room
  418. Eren joined the room
  419. hellstabber changed their display name to Eren
  420. swalexint joined the room
  421. redsolver joined the room
  422. Sam changed their display name to Sam Bulon
  423. @shadowislord:matrix.org left the room
  424. Lizz left the room
  425. Chris Lace
    verified checkmarks coming soon I hope. Ijs ..the celebrities are coming
  426. Marcio Alves
    Message deleted by Aaron Goldman
  427. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    spam?
  428. Brenden Riggs
    Spam
  429. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    yk, this could actually work really well as just another labeling service under composable moderation
  430. Brenden Riggs
    Oh interesting. So perhaps an individual could be verified/labeled by multiple trustworthy orgs.
  431. engineersam ⚡️
    I am hoping to be able to chain the moderation together like a loose neural net. "If ten of the people in this group like the post then this moderation 'fires' and feeds the post with a new labeled weight into the next moderation service" sort of thing.
  432. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    that's more of a custom algorithmic feeds thing
  433. but sure
    (edited)
  434. Chris Lace
    moved to @shreyan:beeper.com (@shreyanjain:matrix.org): yeah’ but it is what it is ..in this social media world of impersonating someone. If you guys do sign me up because I have protect my brand. Thank You!
    (edited)
  435. Andrew Adams joined the room
  436. @plausibledenial:matrix.org joined the room
  437. @toshiw:matrix.org left the room
  438. Romans Malinovskis joined the room
  439. Brice joined the room
  440. Soli

    Hii, I am struggling a bit getting @atproto/api (https://socket.dev/npm/package/@atproto/api) to work on an expo iOS client. Everything is working perfectly on the web but for some reason, the login function fails when running Expo on iOS (npx expo start --ios).

    await agent.login({ identifier: email, password });

    The code snippet above returns the error function is undefined, specifically, it tries to use a function in URL.js

    ERROR [TypeError: undefined is not a function]

    I attached a screenshot of the error below. Does anyone know what I can do?

    (edited)
  441. callmearta joined the room
  442. owenn joined the room
  443. owenn
    Hello everyone, been reading up on the AT Protocol and I've been liking what I read so far. Looking forward to hearing more and see what I can build upon it !
  444. @cubixle:matrix.org left the room
  445. Matthew
    i wrote a thing which might or might not be of interest: https://news.ycombinator.com/edit?id=35886140
  446. @app1ep1e:matrix.org left the room
  447. @foxyzlove:matrix.org removed their profile picture
  448. @foxyzlove:matrix.org removed their display name (foxyzlove)
  449. @foxyzlove:matrix.org left the room
  450. @transrights:hot-chilli.im joined the room
  451. madiator2011
    I have question: How Bluesky aims to be decentralized? Where data is being stored and also if it's going to allow to self host?
  452. Brice

    In reply to this message

    What’s a “federated” network? It’s a way for servers to communicate with each other – like email. Instead of one site running the network, you can have many sites. Users get a choice of provider, and individuals and businesses can self-host if they want.
  453. From Bluesky Twitter
  454. madiator2011
    Ah so it goes same tech stack as Mastodon?
  455. Brice
  456. Basically the middle one
  457. In reply to this message

    what do you mean by tech stack?
  458. madiator2011
    I mean both platforms will work in federation model :)
  459. Brice
    yes :)
  460. Kjartan
    I still can't see how atproto is supposed to be decentralised (with the upcoming "federation") in any way (it might be in the future, though)
  461. Brice

    In reply to this message

    I mean if you want to delve deeper into the architecture, you're lucky, they released a blog post explaining it here: https://blueskyweb.xyz/blog/5-5-2023-federation-architecture
  462. Kjartan
    But if we count future intentions, I would like everyone to address me with "Almighty emperor of the world, universe, and everything there is"
  463. In reply to this message

    And if you remove the plc.registry and bgs, then every pds is on its own. That's just what Twitter and the others always have been, jsut with PDSs as external storage
  464. kcchu

    In reply to this message

    Could you define what decentralized mean to you? Besides PLA DID, which is not intended to be the final design, what else in AT Protocol do you think doesn’t meet the definition of decentralized?
  465. Kjartan
    Yes, it's not intended to be final. But until it's been replaced, one can't call it decentralised. Maybe "intended to become decentralised eventually"
  466. That's why I said: if we count intentions, then please call me "Almighty emperor of the world, universe, and everything there is" already
  467. I'm a nobody just temporarily. I really want to become almighty, etc
  468. Brice

    In reply to this message

    Not fully maybe but mostly decentralized, which I guess is where the nuance is.
  469. Kjartan

    In reply to this message

    I'm mostly a god. Sorry, for being snarky, but this is really a boolean type of thing
  470. Especially for this use case. I'm not saying they ever would do that - but if they wanted, they could easily remove any user from federation
  471. Brice

    In reply to this message

    Also I don't really understand your "if you remove". Maybe I'm very literal but the architecture doesn't intend to remove these components.
  472. Kjartan

    In reply to this message

    In a decentralised network, you can remove any random element. Yes, this element will be gone, but the rest continues to work as intended. If you remove my mailserver for example, you everyone who wasn't one my server, could still email to/ and receive from anyone else
  473. Brice

    In reply to this message

    That's a possibility. Now, for ATProtocol's future I don't think that would be a smart possibility, hence I don't attach to it a big probability.
  474. kcchu
    Architecturally, DID is an independent building block used by AT Protocol. It is a framework being developed under the umbrella of W3C and it is not even part of ATP. So, may I assume that your only concern not being decentralized is referring only to DID, and the parts that are actually in ATP are okay?
  475. Kjartan
    Please don't get me wrong in one thing: I don't try to move atproto in a bad light or anything. I just think it's celebrated for something already, which so far is just a statement of them (which might or might not happen)
  476. In reply to this message

    Even if it would never get decentralised (which is a possibility) ATP cn still be nice and a success. My only point is: one can't call it decentralised yet. Maybe in a few weeks or months, or maybe even a bit further in future. But right now, it's not (doesn't even have to be something bad; I like cake, oh, I love cake, but still, a cake is no steak, no matter what)
  477. kcchu
    I think as engineers a more fruitful question would be whether ATP is making progress in the right direction. You can’t control how media and celebrities perceive what Bluesky is. And I don’t think Bluesky team was trying to make false statements about the current progress.
    (edited)
  478. Kjartan

    In reply to this message

    My criticism is actually here not even towards the bsky team (I have criticism there, too, and some false claims). Here I guess it's indeed more the narrative of devs. As far as I remember, bsky team itself, talks always of the intentions to get it decentralised, but not that it would actually be the case already
  479. @planetoryd:matrix.org
    Message deleted
  480. Brice
    I don't know. To be fair, I'm not technically equipped to answer to this kind of question. My only take is that it might be unfair to also call it centralized as it is trying to go in the direction of decentralization and the architecture seems to support this direction. Thinking in "centralized" or "decentralized" only is a bit simplistic as it really depends on what you look at. It's quite black and white thinking and it might not be really relevant to how a development environment actually functions.
  481. Maybe I'm wrong and I would gladly receive the criticism but that's how I view things as of now.
  482. Kjartan
    Is it unfair if one refuses to call a cake a steak, even though the cake is god damn delicious? Like I said, there isn't anything horrible about it being cake. There is a good chance that a decentralised social media platform jsut doesn't work for some reasons (like: too much data to handle, or whatever). It's not unfair if you call things by how they are. Really, the cake/steak example isn't so bad. Because I think you and some others, might think my disagreement would also mean I would devalue atproto, but that's not my intention here. I like a lot of centralised stuff (and I love cake)
    (edited)
  483. madiator2011
    is there any way to access Bluesky expect just invite?
  484. @planetoryd:matrix.org

    In reply to this message

    find an exploit
  485. Kjartan

    In reply to this message

    What purpose? Testing api and stuff, or for the content?
  486. Because it's in both cases a yes (but with different solutions)
  487. madiator2011
    Mostly want to compare it with mastodon and if there is dev api probably start thinkering. As daily I run my mastodon instance.
  488. Kjartan
    Message deleted
  489. Kjartan
    Give me a second
  490. John Moore joined the room
  491. Kjartan
    Message from Kjartan there you find dozens of invites to a test instance (absolutely nothing is happening there, like really NOTHING at all. but you can play with the protocol, try to write a client or whatever; and as there is nothing happening, feel free to create a couple of accounts, so you can talk to yourself when the situation requires it (please don't do many big file uploads, I'm extremely low on free space)
    (edited)
  492. And for checking out the content of the real server: https://blue.amazingca.dev/
  493. In reply to this message

    If you have anymore questions to the test instance, it has to wait for two hours, as I really have to cook as the family is starving 😭
    (edited)
  494. madiator2011
    np thanks for info
  495. Lizz joined the room
  496. nKantarell3Sky joined the room
  497. @njkekantarell517:matrix.org left the room
  498. whyrusleeping
    Matthew: thank you for taking the time to write out that post on HN, we really appreciate that :)
  499. Kjartan
    So, invite codes for everyone, to celebrate? 👀
    (edited)
  500. James Lund joined the room
  501. Matthew

    In reply to this message

    np. it really pisses me off when open/decentralised projects attack other ones, and it feels important to try to show folks can be supportive instead
  502. @neeg:nitro.chat
    always has been
  503. Matthew
    perversely i have better diplomatic relations with element’s commercial competitors (
    rocket.chat
    , mattermost, zulip, wire etc) than with other chat protocols, which is 🤯
  504. foss sometimes brings out the worst in people. 😞
  505. @neeg:nitro.chat
    I think in FOSS people often invest a lot of their "mental energy" into believing that something is future so they take it personal and see alternatives as enemies.
  506. Kjartan
    To be fair: while I wouldn't call atproto an enemy, I would say it is indeed a potential threat to for example ActivityPub, isn't it? And from the point of view of the ones being threatened, I think it's not a far stretch if they see them as the enemy. I'm glad for the competition to be honest (please don't hit me), because it's usually a good thing for the users in the long run
  507. @neeg:nitro.chat
    And what the reason for people to be tied for a certain protocol? In popular services people use apps and don't think what's inside. Fediverse/Mastodon has changed the protocol from OStatus to ActivityPub also. But ATProto is rather incompatible with fediverse-like federation.
  508. Kjartan
    About the OStatus to ActivityPub change: I'm sure the OStatus people weren't happy about that either :D I'm not agreeing with the AP people, just saying that I can kinda understand those, who see ATprotocol as an enemy (that doesn't mean I support their view, just that's imo somewhat understandable)
  509. @neeg:nitro.chat
    Fediverse and ATProto are not direct competitors. Nostr and ATProto are. And Nostr is popularized amongst people who are extremely specialized on hating alternatives.
  510. Kjartan
    Oh, I would see AP and AT absolutely as competitors. I wouldn't say they are the same product (especially as their solution looks very different behind the surface), but they try to serve the somewhat same purpose (from the end-users' point of view)
  511. (and Nostr might have a serious advertising issue: I have heard about Nostr only at bsky - I asked friends, colleagues, etc and no one had ever heard of it)
  512. Skyler Hawthorne
    I don't see any decentralized services as competitors. Personally I'm glad that we are seeing decentralized services gaining enough popularity for there to be several federated decentralized ecosystems popping up
  513. It's a nice change of pace from yet another walled garden, that is competing with others for users and advertising dollars
  514. @neeg:nitro.chat

    In reply to this message

    But it permissionless so it possible to use it without invites.
  515. Skyler Hawthorne
    AP and AT have no reason to try to "outdo" the other, afaik
  516. Kjartan

    In reply to this message

    Only if one even knows about them. Never heard about them before, never read anywhere anything about it before 🤷‍♂️ But I have meanwhile indeed tried it (but the client was ugly, and I was also too hyped about atproto anyway 🤣)
  517. In reply to this message

    Even if they don't - some users might see their pals move to the other platform (and will be obviously unhappy about it)
  518. Aaron Goldman
    Kjartan: there are different opinions on what constitutes decentralized but here is my 2¢. The thing that makes AtProto decentralized is Authenticated Data. If I have your repo and your DID Document I can validate it. This is entirely independent of how I got the repo. The chain of signed commits has the roots of the Merkel trees. If I control my rotationKeys I can sign updates to my did:plc. This splits the problem into two problems. One, the creation and signing of commits to the repo. Two, the discovery and transport of repos. As for the first it is just math. If you control your keys you control your repo. As for the second there is efficiency to be had by a server for PLC and a PDS in the DID Document but if you wanted to have a did:key and use search to find commits signed by that key that could work just less efficiently. The place to look to judge the centralization of AtProto would be to look at what percentage of the users control their own rotationKeys.
  519. @neeg:nitro.chat
    Sounds like PGP.
  520. Fediverse is what if email was a social network. And Bluesky is what if PGP was a social network.
  521. Kjartan

    In reply to this message

    I guess we'll just disagree on this one. I agree, that centralisation has its benefits and perks (as here the efficiency as one example). That's why I say centralization doesn't have to be per se bad in all and every cases. But I'll disagree in regards whether it can be called decentralised (yet)
    (edited)
  522. Skyler Hawthorne

    In reply to this message

    It's decentralized in design, but not yet in practice
  523. Which is fine, it's still in development
  524. @lukuniklo:matrix.org joined the room
  525. whyrusleeping

    In reply to this message

    Yeah… it sucks. People feel so threatened that their “free labor with no guarantees” might be threatened by someone elses
  526. Dominick Rangel

    In reply to this message

    sort of. it is less secure than PGP but still really good comparatively
  527. Steve Rawlinson joined the room
  528. Aaron Goldman
    Pretty Good Authenticity
  529. I think the way to measure the progress on decentralization is did_count / rotation_keys_count
  530. 78080 did:plc / 59 rotationKeys
  531. Very few users are holding their own rotation key.
  532. Granted I think a reasonable default is for both the user and the PDS to have a rotation key
  533. Kjartan
    Message deleted
  534. Aaron Goldman
    the user should opt in to the PDS not being able to help them recover
  535. but the fact that the client dose not by default have a recovery key stored locally that can be use for the migration to a new PDS without the old PDS letting you out is a problem
  536. goykasi
    What is seen as the ideal situation for PDS? That each user is able to run/control their own?
  537. Stems looks interesting. Allowing users to delegate control of running the PDS, but each user still has their own.
  538. Kjartan

    In reply to this message

    did you just leak what's supposed to be the big upcoming surprise? 👀
  539. goykasi
    i dont think so. they say that on their site.
  540. Kjartan

    In reply to this message

    Oh, okay. Haven't checked for a while :D Zach should post those things on stems itself :D
    (edited)
  541. goykasi
    I didnt know about them until I saw that doc that Aaron linked. They hold the 2nd highest number of dids behind
    bsky.social
    (edited)
  542. Kjartan

    In reply to this message

    Yeah. it was a crazy time. Like 500 new users every hour or so. It was wild
  543. nkantarell3sky changed their display name to nKantarell3Sky
  544. Kjartan

    In reply to this message

    Were there some of the list removed?
  545. Because I miss
    microsoft.com
    (it was me) while my others are still there
  546. murat inanc joined the room
  547. goykasi
    Im not sure its up to date. I changed my PDS endpoint. The change isnt reflected there.
  548. Kjartan
    I'm also shocked that stems is just 5k something - because the server couldn't handle it at all at some times 🤔
  549. schnitzel-mit-pommes.de
    was my latest thing. microsoft came before
  550. while
    schnitzel-mit-pommes.de
    is horrible for an instance - because the compelte handle is allowed only to be 30 characters (if it uses the instance's suffix)
  551. murat inanc
    bluesky invite code
  552. is there
  553. Taiwan Brown joined the room
  554. sandsunsky joined the room
  555. garthtrickett joined the room
  556. retr0id

    In reply to this message

    wait I didn't even know it was possible to request you rotation key yet
  557. how?
  558. Kjartan
    They don't request it, they send it during account creation
  559. retr0id
    huh then where does the number 59 come from
  560. goykasi
    some users are running their own PDS
  561. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    huh, I never recieved mine
  562. retr0id
    yeah me neither
  563. Kjartan
    I might be wrong, but I think you also can do it with
    bsky.social
  564. In reply to this message

    You don't receive it. you provide it
  565. goykasi
    i dont think its exposed to
    bsky.app
    users yet
  566. Kjartan
    At least I think so
  567. Now, I'm unsure
  568. retr0id
    how does a PDS "instantiate" a new DID?
  569. is it possible to send stuff to
    plc.directory
  570. DID is computed based on the new user info
  571. Kjartan
    With your usual request to create an account - you can also provide/send a recoverykey
  572. retr0id
    TIL!
  573. That's why I would really like to get a new invite code 😭 (I was to afraid to risk my original invite code by messing up with curl)
  574. Kjartan
    And I wasn't even sure, if I would be able to generate a proper key (in the right format etc)
  575. talking of that - how would one create a key, so it can be sent by curl? because in 5 months or so I probably might get a code as well
  576. goykasi
  577. Kjartan

    In reply to this message

    I'm kinda afraid of creating the string version part. Like as it is (the raw bytes) or converted to hex, or…
  578. or as a did:key
  579. goykasi
    hex (i think)
    (edited)
  580. Kjartan
    I hope till then some client will offer it already oob
  581. won't happen any time soon anyway
  582. Kjartan
    And even then I probably will give it to someone else. There are people who have been waiting for half a year. It's wrong to create a second account and let them wait
  583. Also bsky really would need some new users. My timeline gets a new post every few hours. more than a third of those I follow seem to have left already
  584. or they have blocked me - who knows 🤣
  585. Kjartan
    I very much assume it's the did:key… format as it is defined in the crypto package. But I don't speak typescript, so it's all to take with a grain of salt
  586. was actually meant for a different window, but fits here as well - maybe one of you knows more about it
  587. assumption that it's the did-format is because it gets shoved into an array with the pds's keys in did-format (at least that's how it looks to me)
  588. goykasi
    yah Im pretty sure the DID format is sent
  589. Kjartan
    I really hope atproto reconsiders their naming. did at… that's all really horrible to search for, even within source
  590. Kjartan
    Is there btw a way to test your own recoverykey, without already doing something "drastic" (like switching your pds)? Or can I test if the PDS really used my key?
  591. Or could an evil PDS just accept my recoveryKey, but use a different one, and I wouldn't know until I want to use it and fail?
  592. Or maybe even worse: not use a different one intentionally, but have a faulty implementation
  593. (it's not a bug people would have to recognise immediateley)
  594. Aaron Goldman
    The client could submit directly to
    plc.directory
    and not give the PDS the chance to mess with the key
  595. The PDS would send the PDS's key to the client and let the client create the DID Document
  596. Kjartan
    Okay. Is this already possible? As in: does there any public code exist to do this, yet?
  597. Kjartan
    And - would this be (by it's form, looks, length) a valid key? 😅 did:key:zQ3shdsnuzAKkKnwPDeu8KXiW2ipt1EREni78ndMPkVdkfyCJ ?
  598. (its 57 characters in total, so you don't need to count)
  599. Matthew Szklany joined the room
  600. Kjartan
    I likely got it. It's already ~4am on my side. But I'll write the necessary steps down, so others don't have to figure it out themselves
  601. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    ooh that would be awesome
  602. @ab27:matrix.org joined the room
  603. yum joined the room
  604. yum set a profile picture
  605. citizenziggy
    is there a way to run self hosted server instance of bluesky?
  606. murat inanc
    hello bluesky invite code is there
  607. draganratkovic joined the room
  608. draganratkovic
    hello friends how are you
  609. draganratkovic set a profile picture
  610. @dsenjoyer:matrix.org left the room
  611. peterblitz joined the room
  612. Kjartan

    In reply to this message

    Yes
  613. 1inguini joined the room
  614. @transrights:hot-chilli.im removed their profile picture
  615. @transrights:hot-chilli.im removed their display name (transrights)
  616. @transrights:hot-chilli.im left the room
  617. Kjartan
    what's the purpose of refreshing the client session, instead of just creating a new one? Is it just so credentials don't need to be stored? Or is there more to it?
  618. codesforliving joined the room
  619. codesforliving
    Evening everyone, I would like to get started with development. If anyone has spare invite code, kindly share.
  620. draganratkovic
    There were more friends with bluesky code ?
  621. If there is more code, I will be happy to forward it from private
  622. Let's see if we can help with the development for Bluesky.
  623. @orpheuslummis:one.ems.host left the room
  624. Patryk joined the room
  625. Patryk
    Does anybody know what's the difference between lexicon's string enum and knownValues? Does enum only allow for the given values and knownValues is only a hint for which values can be expected?
  626. Freezlex changed their profile picture
  627. curiouskoa

    I’m an app developer and I want to create an AppView with a custom algorithm choice.

    I’ve been lurking here for a bit, and I’ve read all the blog entries at

    , but I’ve not uncovered anything that I think would actually help me to get started. Any suggested resources? 🙏

  628. ic5hoo7er joined the room
  629. curiouskoa
    valka: that’s exactly what I was looking for! Thank you!
  630. valka
    Happy to help :)
  631. Kjartan

    In reply to this message

    12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758require "secp256k1"
    require "big"
    require "http/client"
    require "json"
    
    key= Secp256k1::Key.new
    B58BT= "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
    
    class Array(T)
      def to_base58
        r= ""
        n= BigInt.new 0
        self.each do |byte|
          n= n*256+byte
        end
        loop do
          r+= B58BT[n%58]
          n= n//58
          break if n==0
        end
        r.reverse
      end
    end
    
    class Secp256k1::Key
      def public_did
        "did:key:z#{(Bytes[0xe7, 0x1].to_a + public_bytes_compressed.to_a).to_base58}"
      end
    end
    
    did= key.public_did
    fn= "#{did.split(':')[-1]}.key"
    File.write fn, key.private_hex
    
    puts "Stored the private key for '#{did}' as a hexstring in #{fn}.\nKeep it safe and secure!"
    print "On which server do you want to register (just press Enter if you're clueless what that means)? "
    host= (gets||"").chomp
    print "What's your email? "
    email= (gets||"").chomp
    print "What handle do you want? "
    handle= (gets||"").chomp
    print "What password do you want to use? "
    password= (gets||"").chomp
    print "And finally: What's your invite code? "
    inviteCode= (gets||"").chomp
    
    host= "https://bsky.social" if host.empty?
    host= "https://#{host}" unless host.starts_with? "http"
    resBody= HTTP::Client.post("#{host}/xrpc/com.atproto.server.createAccount", 
                                  headers: HTTP::Headers{"User-Agent" => "accountCreator0.1", "Content-Type" => "application/json"}, 
                                  body: "{\"handle\":#{handle.inspect},\"password\":#{password.inspect},\"email\":#{email.inspect},\"inviteCode\":#{inviteCode.inspect},\"recoveryKey\":#{did.inspect}}").body
    jres= JSON.parse resBody
    if (error= jres["error"]?)
      puts "Couldn't create the account, because… #{jres["error"]}: #{jres["message"]?||"???"}"
      puts "The key has not been removed, in case account creation was somehow successful - but that's unlikely :("
    else
      puts "Hooray! All good. Now go and have fun!"
    end  
    

    It's not perfect, but it should give everyone an idea, how it works (and while not perfect, it works, it just could do the one or the other thing probably a bit better)

  632. In reply to this message

    Also, if anyone needs it compiled, I can offer osx(intel), linux and Windows (I've tested so far only the osx version). For devs likely not something they need (or even would want), but I'm thinking of the one or other average user, who got lost here (to ask for an invite code or something) and wouldn't know how to compile something
  633. used libraries obviously are not, but all the written code lines were done by myself and are licensed under the wtfpl (http://www.wtfpl.net/about/)
  634. In reply to this message

    Also the private key is stored in your current directory. Pay attention that it's not /tmp or copy your key to some safer place :D
    (edited)
  635. Brendan Abolivier joined the room
  636. Aaron Goldman
    Any reason you made your own multibase rather than using an existing jem https://rubygems.org/gems/multibases Disclaimer: I have never used this gem and can't vouch for it
  637. I didn't see a gem for did:key which surprised me
  638. apra joined the room
  639. Kjartan
    It's crystal, not ruby :) I don't think they have already something for base58 (I guess they have not, but I haven't looked for it (it's sometimes hard to find their equivalents of gems), and of how often something like this will be used, I expect that this likely doesn't exist yet)
  640. Aaron Goldman
    Oh never tried Crystal but I hear good things
  641. Kjartan
    Also, it's something which is quickly written, and performance doesn't matter here. So I would have spent more time looking for something than just writing it quickly myself
  642. Kjartan
  643. If anyone reads this, and they want to build something where performance will matter. I also constructed the string very… slowly. You can get already about 25% improvement just by doing the strings better
  644. The way it was posted, a MacPro from 2009 would do 10k base58 strings in 0.22s (with sanely optimised strings down to 0.17s, and with optimal strings down to 0.140s). If you were going to optimise the BigNum operations, I guess you would end up somewhere around 0.06 to 0.08s) - but it really doesn't matter for just one key just the way it was without any optimisations
  645. In reply to this message

    It's nice. But it's somewhat wrongly advertised imo (as in "oh, it's almost like ruby"). As someone who loves ruby, one gets very quickly, very frustrated by crystal. But especially for something small like this, and if you want it cross-platform, it's nice, yeah (or if you don't mind it being often very different from ruby by choice)
  646. goykasi
    Aaron Goldman: can you explain what "rotationKeys" are in the did document data? they arent mentioned in the atproto docs, but they seem to be related to signing and recovery keys. its not clear though
    https://github.com/bluesky-social/did-method-plc/blob/main/packages/lib/src/types.ts#L18
  647. Kjartan
    if you have 3 of them, the first one is the recoveryKey, the second one is …
  648. the second one is the PDS' recoverykey and the third one is plcRotationKey!? Mh, nah, don't trust me. I don't know :(
  649. Anoop Bhatia joined the room
  650. Kjartan

    In reply to this message

    But that's at least where they come from
  651. Anoop Bhatia
    please give me a bluesky invite code 🙏🏻
  652. memory-system
    Is asking in this chat the process by which one receives an invite code?
  653. Kjartan

    In reply to this message

    No :(
  654. I sadly don't have any codes. We are talking here only about the technical aspects of the protocol. But we don't have any codes either :(
  655. memory-system
    I have been lurking in this chat and I have been waiting for the time to look over the codebase. Hopefully this weekend will be free. Is there a good place to read documentation?
  656. Chris Lace

    It would be great if the actual people from (BlueSky) start a telegram but don’t invite too many.

    Communication Is Key

  657. Anoop Bhatia

    In reply to this message

    😭
  658. Kjartan

    In reply to this message

    But if you get any - you can send me one via DM 🤣
  659. Or probably literally to anyone else in this room
  660. Anoop Bhatia

    In reply to this message

    🫨
  661. Aaron Goldman

    In reply to this message

    "verificationMethods":{ "atproto":"did:key:zQ3shXjHeiBuRCKmM36cuYnm7YEMzhGnCmCyW92sRJ9pribSF" }, "rotationKeys":[ "did:key:zQ3shhCGUqDKjStzuDxPkTxN6ujddP4RkEKJJouJGRRkaLGbg", "did:key:zQ3shpKnbdPx3g3CmPf5cRVTPe1HtSwVn5ish3wSnDPQCbLJK" ]
    If you want to update the DID Document you need to sign the update. The rotationKeys are the list of keys that are allowed to update the DID Document. This key can be used to rotate the verificationMethods.atproto the alsoKnownAs , the atproto_pds, or any other field in the DID Document.

    The verificationMethods.atproto is the key for signing repo updates. So the rotation keys are really part of did:plc not AtProto.

    The reason there is an order has to do with the conflicting goals of being able to revoke keys and recover when your keys are compromised.

    If two keys try to make conflicting updates within 72 hours like say removing each other the winner is the key that is first in the list.

    So if you trust your PDS with a rotation key and they try to steal your DID you, your client, has 72 hours to notice and recover the DID using a higher priority key.
    But if you lose your phone and need your PDS to add your new phone to the DID Document once the 72 hours are up the key on the old phone is gone and there is no risk to the key being out in the world.

  662. It is a good idea for a PDS to have 2 keys for the rotation keys a online lower priority key and a offline high priority key just in case the PDS gets hacked and they need to recover all the did:plc s from the attacker.
  663. So you would expect the list to be [users key, offline PDSs key, online PDSs key] unless a user has a lot of confidence in themselves not losing their keys in which case you expect [users offline key, users client key]
  664. Kjartan

    In reply to this message

    Thanks! This was highly informative! (all of that, not just the last message)
  665. You should write more often 🤣
  666. And it helps a lot with my own server implementation 👍
  667. Aaron Goldman
    did:plc was an exercise in minimizing trust in the PDSs and the directory but at the same time letting users scale their own desires to manage their own keys.
  668. We really didn't want to force users to manage their own keys from day one but also needed when the did:plc became important to them that they could rotate themselves into being solely responsible for managing their keys
  669. Kjartan
    Only as a thought: If I get it right, the PDS could at any time replace the keys. Yes, because my recovery key is "stronger" I would win any disagreement within 72h. But, I likely wouldn't recognise it, if the PDS just swapped the keys!? Usually I wouldn't, would I?
  670. Or should I (ideally) check if my recovery is still there at least once every 72h?
  671. Aaron Goldman
    A normal human would never notice such a thing. The clients better be checking the directory and notifying the user
  672. @neeg:nitro.chat
    But what is the time source for this 72h window?
  673. Kjartan
    And if it was unnoticed, by myself and by my client, etc, then the PDS would have been successful in taking over my account?
  674. Aaron Goldman
    I tend to assume that the client is more the users agent then the PDS is
  675. Kjartan

    In reply to this message

    I guess the change which is contested?
  676. @neeg:nitro.chat
    I mean what prevents the PDS or another bad actor from publishing key change with tampered time as an event happened more than 72h ago.
  677. Aaron Goldman

    In reply to this message

    Now that is the correct question. Now it is the directory if a PDS were to collude with the directory It could take any did:plc they had a rotation key for. But what are the chances the largest most popular PDS would be run by the same organization that runs the directory?
  678. The ordering of the DID Document deltas is the thing we are trusting the directory with and the reason once there are many PDS operators we need to find a way to replace the centralized directly with a decentralized immutable legger
  679. draganratkovic
    Aaron Goldman, can you check in private?
  680. @neeg:nitro.chat
    Time is subjective in decentralized context. So maybe a sort of distributed timestamp server could help.
  681. Aaron Goldman
    Essentially the question of how to manage the directory can't be answered because it's about buyin from the PDS operators. That's why it was PLC. It had to be a placeholder because there couldn't be a community of PDS operators until the protocol launched and we needed a community of PDS operators to decide what to do with the directory. So a centralized placeholder it is. 😭
    (edited)
  682. goykasi

    In reply to this message

    That makes a lot of sense. But its good that we are discussing now!
  683. Kjartan
    Somewhat less important, but for the full understanding, and while we are at it: the pds offline key, and pds online key, is there again a 72h window?
  684. Aaron Goldman
    did:ion solved this by using Bitcoin's chain as the timestamp server but that makes it slow and not free
  685. Kjartan

    In reply to this message

    To be honest, this discussion is kinda the stuff I hoped for, for a long time
  686. moved to @shreyan:beeper.com@shreyanjain:matrix.org

    In reply to this message

    like you said earlier using the bitcoin blockchain is impractical
  687. Aaron Goldman
    The only thing is that keys earlier in the list have priority over keys later in the list. Did:plc has no concept of what the key are. If you put them in the wrong order sucks to be you.
  688. goykasi

    In reply to this message

    Thank you for the explanation. To clarify, rotationKeys are specifically for updating the did document and verificationMethods are published application keys (ie used to sign posts added to user repos)?

    The current Go implementation seems to place the signing key into both the rotationKeys and verificationMethods parts of the did document? Is that just out of simplicity of getting it up an running?

  689. Aaron Goldman

    In reply to this message

    I thought we published on this 🤔
  690. goykasi

    In reply to this message

    It is a bit, but I think the intent that you described above was not
  691. Kjartan

    In reply to this message

    I think I can answer that, because my impl does it too. It's because the ts repo kinda does it like that. One keypair gets created, and is then used for both
  692. goykasi

    In reply to this message

    Yah that is more or the less the source of the original question. It was a bit confusing
  693. Kjartan

    In reply to this message

    Not like this. By far not like this
  694. In reply to this message

    Might be related to that weird overrides? thing I couldn't make much sense of
  695. Aaron Goldman
  696. Maybe it needs more discussion of how the trust in the directory is so low and why it is still scary.
  697. Kjartan

    In reply to this message

    I find it by far not as understandable as this is
  698. Docs could also do with a few examples every now and then ;)
  699. Aaron Goldman
    Also someone who doesn't work for Bluesky PBLLC should make a website hasThePlcDirectoryMutated.example let downloads the whole ledger periodically and checks if anything's been removed.
  700. Kjartan
    Or it was new to me, that the keys are basically only different in their priority. That they would be (of functionality) interchangable
  701. Aaron Goldman
    I think `/xrpc/com.atproto.server.createAccount` takes `recoveryKey` but the PDSs also adds it's two rotation key after the one provided by the client.
  702. Kjartan

    In reply to this message

    Yeah
  703. Aaron Goldman
    I think it's important for the user to have the highest priority key incase there PDS betrayed them but maybe most users are so don't want to keep track of an offline key badly enough that they disagree
  704. goykasi

    In reply to this message

    Its still a good feature though. But you are correct. Most people wont want to explicitly secure their key(s). They would most likely depend on the client to hold them and track DID doc changes
  705. Aaron Goldman
    I kinda like [user offline key, PDSs offline key, PDSs server key, client device key] but that is probably complicated for the user to understand the difference between the key in there phones local TPM and the rescue words on paper in their sock drawer
  706. Kjartan

    In reply to this message

    Probably depends on the case. Those who selfhost, will likely trust their PDS a lot more than others. While the most average user probably doesn't care about it at all (and would be even still happy with being on twitter, but their friends asked them to join)
  707. Aaron Goldman

    In reply to this message

    Yup, on boarding needs to be seamless. Sign them up now. Let them generate a recovery key and print out the recovery words later once they care about the account
  708. Kjartan

    In reply to this message

    You are very optimistic, that they will ever care about it :D I'm not talking about the "nerds", but the most casual user :D
  709. @turing_k:matrix.org left the room
  710. Chris Lace
    👍
  711. Aaron Goldman
    Here is the scenario I worry about. 1) user signed up with a somewhat random PDS. 2) user uses AtProto for Bluesky and other Apps for years without thinking much about who their PDS is. 3) the PDS goes out of business and vanishes with no notice other than the client spins on a connecting screen. 4) user tries to migrate to a new PDS and finds out that they never had any of the rotation keys 5) 😭 The clients should have a rotation key. Without the user needing to think about it.
  712. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    oh for sure
  713. clients might even want to automate pds switching selection if one goes down
  714. but that raises the issue of what if it's only temporarily offline
  715. Aaron Goldman
    But I am more likely to install malware on my phone the most PDSs are on the server
  716. If the key on my phone is hacked and the highest priority then I'm done.
  717. [user offline key(optional), PDSs offline key, PDSs server key, client device(s) key(s)]
  718. After this conversation that were I'm leaning
  719. goykasi
    Very true. And there likely isn’t a great way to solve it without centralizing PDS instances. Or without having some sort of permanent authority hub. But who would run that?
  720. retr0id

    In reply to this message

    I think the answer here is to require "paper wallet" key backups to be made during signup (show on one screen, ask the user to re-input as verification on the next), but maybe that's too much friction for a mass audience idk
    (edited)
  721. goykasi
    A Bip39 route could be taken, but not many users will care to write down their seed words
  722. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    that could run into the same issues as what nostr clients, bitcoin wallets etc have with adoption
  723. retr0id
    as an aside, yubikey as signing key would be neat
  724. goykasi
    True, but that also doesnt reach the masses. Most regular users have never even heard of a yubikey.
  725. retr0id
    right, hence aside
  726. moved to @shreyan:beeper.com@shreyanjain:matrix.org
    android lets google's password manager work with apps, I don't know about iOS though, or if people even trust Google
  727. goykasi
    ios has a similar feature. And I would assume most users (android and ios) "trust" the password managers, because that is the platform's default offering
  728. Aaron Goldman

    In reply to this message

    Well "entire maze dynamic wedding proud essay run present average delay seat essay ticket hobby spirit" is all I have to say about that.
  729. goykasi
    It doesnt fully solve the problem of recovery in the case that a phone is lost, but its an entry to 90% (higher?) regular users
  730. Aaron Goldman
    Yup my password manager is much better at remembering 15 random words than I am
  731. As to Yubikey that's just one more device like the TPM in my phone, tablet, or laptop.
  732. goykasi
    Most users just want something easy. And, in all reality, usually dont care much about decentralization or keypairs. They want to use something easy, popular and fun. Jumping through hoops isnt fun. We may have other concerns (which are neat), but AT/Bsky is meant to hit the masses (and not be another bitcoin)
  733. Kjartan
    Is there a limit of keys the plc-reg will accept? And if so, what is the limit?
  734. Aaron Goldman
    There was a limit on the total size of the document the directory will accept. I don't remember what it was something like 1kb or 4kb. Can't seem to matter much at the time most of the documents are only a quarter kb
  735. Kjartan
    Oh, and limits are in general a thing, where I never know, is that limited by the protocol, or by the server implementation,… like number of pictures embedded (probably server), file-size-limits. json-size, etc
  736. but if it's server side, I would have expected that describeServer would inform the client about a lot of those limits, and not just let it try and fail
    (edited)
  737. kcchu

    In reply to this message

    iPhone users who use iCloud is easier here. iCloud Keychain is considered secure enough that even some crypto wallets use it to store wallet key without additional encryption. And the best part is that it covers device lost situation
  738. goykasi
    Aaron Goldman: Thanks again for the explanations. Im a lot more clear on how the PLC operations happen. Another source of confusion is that there are multiple formats for the operations (request and response) to the PLC server: create, plc_operation, plc_tombstone. And terminology in those formats dont always overlap.
    Maybe create and rotate/op could be changed to be more similar. The purpose of the message parts might be more clear and consistent.
  739. kcchu
    While we are at here. I want to ask a question about PLC. I understand it is temporary but it is a centralized service which gives Bluesky the power to remove or take over an user. I think it will soon become an hot issue when there are more user and media attention. What is the plan for replacing the PLC with something long term?
    (edited)
  740. Kjartan