@movq@www.uninformativ.de Care to explain how this explicit/attack works for me? 🤣

Well that was bloody awful. This PR bokr my pod for some strange reason I can’t figure out why or how 😱 The process just kept getting terminated from something, somewhere (no panic). weird. I’ve reverted this PR for now @xuu@txt.sour.is

@prologic@twtxt.net I have no specifics, only hopes. (I have seen some articles explaining the GDPR doesn’t apply to a “purely personal or household activity” but I don’t really know what that means.)

I don’t know if it’s worth giving much thought to the issue unless either you expect to get big enough for the GDPR to matter a lot (I imagine making money is a prerequisite) or someone specifically brings it up. Unless you enjoy thinking through this sort of thing, of course.

Really though I only managed to save a few GB, but it’s enough for now.

@bender@twtxt.net Haha 😛 Faster? Maybe 🤔 But yeah it’s good to have backups! (that work)

I’ve also put up this PR Add compatible methods for Index to behave as the Archiver (transition) #1177
that will act as a transition from the old naive archiver to the new bluge-based search/index. I will switch my pod over to this soon to test it before anyone else does.

For those curious, the archive on this pod had reached around ~22GB in size. I had to suck it down to my more powerful Mac Studio to clean it up and remove a bunch of junk. Then copy all the data back. This is what my local network traffic looked like for the last few hours 😱

And we’re back. Sorry about that 😅

@lyse@lyse.isobeef.org Hmmm I’m not sure sure I get what you’re getting at here. In order for this to be true, yarnd would have to be maliciously fabricating a Twt with the Hash D.

i.e: there must be two versions of the Twt in the feed.

@lyse@lyse.isobeef.org This is true. But the client MUST supply the original too! Or this doesn’t work 😢

00:00 local time - Happy #SoftwareFreedomDay!

Here’s a map of all the events that are going to happen worldwide. In which are you going to participate?

@dff@dff https://fosstodon.org/@dff/113170848636203522

https://spiritualsprings.proboards.com/thread/46/flat-earth-round-explorer

Have a nice weekend everyone

The monthly reading tag for #September is #school, and I thought I would be reading fiction for it. But fate decided that the book in the picture would be released this month, so here am I fulfilling the thread by reading a non-fiction book about the high-school I attended to, a book I participate with along others that help form a collective memory spanning five decades - I am the youngest participant, having graduated from this high-school in 1999.

#fridayreads #bookstodon

Image

On my blog: Toots 🦣 from 09/16 to 09/20 https://john.colagioia.net/blog/2024/09/20/week.html #linkdump #socialmedia #quotes #week

If OTOH your client doesn’t store individual Twts in a cache/archive or some kind of database, then verification becomes quite hard and tedious. However I think of this as an implementation details. The spec should just call out that clients must validate/verify the edit request and the matching hash actually exists in that feed, not how the client should implement that.

@lyse@lyse.isobeef.org Yes you do. You keep both versions in your cache. They have different hashes. So you have Twt A, a client indicates Twt B is an edit of A, your client has already seen A and cached and archived it, now your client fetches B which is indicated of editing A. You cache/archive B as well, but now indicate in your display that B replaces A (maybe display, link both) or just display B or whatever. But essentially you now have both, but an indicator of one being an edit of the other.

The right thing to do here of course is to keep A in the “thread” but display B. Why? So the thread/chain doesn’t actually break or fork (forking is a natural consequence of editing, or is it the other way around? 🤔).

@lyse@lyse.isobeef.org I’m all for dropping delete btw, Or at least not making it mandatory, as-in “clients should” rather than “clients must”. But yes I agree, let’s explore all the possible ways this can be exploited (if at all).

@movq@www.uninformativ.de I think not.

What about edits of edits? Do we want to “chain” edits or does the latest edit simply win?

This gets too complicated if we start to support this kind of nonsense 🤣

@movq@www.uninformativ.de Thank you! 🙏

@lyse@lyse.isobeef.org Walk me through this? 🤔 I get what you’re saying, but I’m too stupid to be a “hacker” 🤣

But yes, at the end of the day if the edit request is invalid or cannot be verified, it should be ignored as treated as “malicious”.

@lyse@lyse.isobeef.org @movq@www.uninformativ.de So a client that has the idea of a cache/archive wouldn’t necessarily have to re-check that the Twt being marked as “edited” belongs to that feed or not, the client would already know that for sure. At least this is how yarnd works and I’m sure jenny can make similar assertions too.

@lyse@lyse.isobeef.org @falsifian@www.falsifian.org Contributions to search.twtxt.net, which runs yarns (not to be confused with yarnd) are always welcome 🤗 – I don’t have as much “spare time” as I used to due to the nature of my job (Staff Engineer); but I try to make improvements every now and again 💪

@falsifian@www.falsifian.org You make good points though, I made similar arguments about this too back in the day. Twtxt v2 / Yarn.social being at least ~4 years old now 😅

@falsifian@www.falsifian.org Do you have specifics about the GRPD law about this?

Would the GDPR would apply to a one-person client like jenny? I seriously hope not. If someone asks me to delete an email they sent me, I don’t think I have to honour that request, no matter how European they are.

I’m not sure myself now. So let’s find out whether parts of the GDPR actually apply to a truly decentralised system? 🤔

LOL 😂 This:

anyone could claim that some feed contained a certain message which was then removed again by just creating the hash over the fake message in said feed and invented timestamp themselves

I’d like to see a step-by-step reproduction of this. I don’t buy it 🤣

Admittedly yarnd had a few implementation security bugs, but I’m not sure this is actually possible, unless I’m missing something? 🤔

@david@collantes.us Very nice! 👍

And they have arrived (well, they did around 3 hours ago, LOL). Buttery smooth, my 16 Pro (one with dark cover). It took a bit over an hour to transfer all my data.

Image

Ah, and now he is “conveniently” sleeping. How, well, convenient! LOL.

@lyse@lyse.isobeef.org yeah, tell us, @prologic@twtxt.net, what isn’t true? 🤔 You can’t just go around, “that’s not true, and that’s not true; and that, and that!” without spelling out exactly what isn’t, and why? For the love of god, why?! 😂

@falsifian@www.falsifian.org comments on the feeds as in nick, url, follow, that kind of thing? If that, then not interested at all. I envision an archive that would allow searching, and potentially browsing threads on a nice, neat interface. You will have to think, though, on other things. Like, what to do with images? Yarn allows users to upload images, but also embed it in twtxts from other sources (hotlinking, actually).

@david@collantes.us Thanks, that’s good feedback to have. I wonder to what extent this already exists in registry servers and yarn pods. I haven’t really tried digging into the past in either one.

How interested would you be in changes in metadata and other comments in the feeds? I’m thinking of just permanently saving every version of each twtxt file that gets pulled, not just the twts. It wouldn’t be hard to do (though presenting the information in a sensible way is another matter). Compression should make storage a non-issue unless someone does something weird with their feed like shuffle the comments around every time I fetch it.

I ended up installing Headscale on my little VPS. Just in case the collide, I turned off WireGuard. Turning that one off (which ran on a container) also frees some memory. Headscale is running quite well! Indeed, I have struggled getting any web management console to work, but it really isn’t needed. Everything needed to commandeer the server is available through the CLI.

@falsifian@www.falsifian.org “I was actually thinking about making an Internet Archive style twtxt archiver, letting you explore past twts” — that’s an awesome idea for a project. Something I would certainly use!

@movq@www.uninformativ.de I don’t think it has to be like that. Just make sure the new version of the twt is always appended to your current feed, and have some convention for indicating it’s an edit and which twt it supersedes. Keep the original twt as-is (or delete it if you don’t want new followers to see it); doesn’t matter if it’s archived because you aren’t changing that copy.

@prologic@twtxt.net Do you have a link to some past discussion?

Would the GDPR would apply to a one-person client like jenny? I seriously hope not. If someone asks me to delete an email they sent me, I don’t think I have to honour that request, no matter how European they are.

I am really bothered by the idea that someone could force me to delete my private, personal record of my interactions with them. Would I have to delete my journal entries about them too if they asked?

Maybe a public-facing client like yarnd needs to consider this, but that also bothers me. I was actually thinking about making an Internet Archive style twtxt archiver, letting you explore past twts, including long-dead feeds, see edit histories, deleted twts, etc.

@movq@www.uninformativ.de Ok 😅

@movq@www.uninformativ.de Hmmm not sure what I was thinking sorry 🤦‍♂️been a long day 😂

@movq@www.uninformativ.de Am I missing something? 😅

@movq@www.uninformativ.de Precisely 👌

@movq@www.uninformativ.de Is t it? You read each Twt and compute its hash. It’s a simple O(1) lookup of the hash in that feed or your cache/archive right?

@prologic@twtxt.net what time in UTC?

@prologic@twtxt.net cool, I will be there! Are you going to post the regular banner notice? It will serve as a reminder, at least for me.

AWESOME COOL ☻

👋 Reminder that next Saturday 28th September will be out monthly online meetup! Hope to see some/all of you there 👌

I’ll try to reproduce locally later tonight

i kinda click a yarn then a fork and the back button. i have to do a few goes before it does it.

@lyse@lyse.isobeef.org I don’t think this is true.

@lyse@lyse.isobeef.org No that’s never a problem because we really only want to “navigate” the web anyway not form threads of xonversation 🤣

@movq@www.uninformativ.de this approach also wouldn’t work and when that Feed gets archived so you’ll be forced to crawl archived feeds at that point.

The important bits missing from this summary (devil is in the details) are two requirements:

• Clients should order Twts by their timestamp.
  
• Clients must validate all edit and delete requests that the hash being indicated belongs to and came from that feed.
  
• Client should honour delete requests and delete Twts from their cache/archive.

@lyse@lyse.isobeef.org This is why hashes provide that level of integrity. The hash can be verified in the cache or archive as belonging to said feed.

@movq@www.uninformativ.de I think the order of the lines in a feed don’t matter as long as we can guarantee the order of Twts. Clients should already be ordering by Timestamp anyway.

@movq@www.uninformativ.de Pretry much 👌

@lyse@lyse.isobeef.org Sorry could you explain this sifferently?

Do you k ow what you clicked on before going back?

@eldersnake@we.loveprivacy.club Sweet thank you! 🙇‍♂️ I’ll merge this PR tonight I think.

Seems to be working OK 🤔

Pelos vistos antigamente havia uma coisa chamada “baile tipo Cascais”. Mas como o mundo subversivo dos anos 50 e 60 em Portugal não está bem documentado, há zero resultados a uma pesquisa do termo nos motores de busca da Internet… resta-me a imaginação para tirar as conclusões (provavelmente erradas) de como seria tal baile.

On my blog: Real Life in Star Trek, The First Duty https://john.colagioia.net/blog/2024/09/19/first-duty.html #scifi #startrek #closereading

@david@collantes.us Well, I wouldn’t recommend using my code for your main jenny use anyway. If you want to try it out, set XDG_CONFIG_HOME and XDG_CACHE_HOME to some sandbox directories and only run my code there. If @movq@www.uninformativ.de is interested in any of this getting upstreamed, I’d be happy to try rebasing the changes, but otherwise it’s a proof of concept and fun exercise.

@falsifian@www.falsifian.org hiya from the Sunshine State (also known as a never-ending hell, LOL)!

I forgot to git add a new test file. Added to the patch now at https://www.falsifian.org/a/oDtr/patch0.txt

@falsifian@www.falsifian.org this one hits hard, as jenny was just updated today. :‘-(

its replacing the contents of body for some reason.

@david@collantes.us Hello!

@prologic@twtxt.net Hi. i have noticed sometimes when i hit the back button i lose all the surrounding layout and just have a list of twts.

BTW this code doesn’t incorporate existing twts into jenny’s database. It’s best used starting from scratch. I’ve been testing it using a custom XDG_CACHE_HOME and XDG_CONFIG_HOME to avoid messing with my “real” jenny data.

I wrote some code to try out non-hash reply subjects formatted as (replyto ), while keeping the ability to use the existing hash style.

I don’t think we need to decide all at once. If clients add support for a new method then people can use it if they like. The downside of course is that this costs developer time, so I decided to invest a few hours of my own time into a proof of concept.

With apologies to @movq@www.uninformativ.de for corrupting jenny’s beautiful code. I don’t write this expecting you to incorporate the patch, because it does complicate things and might not be a direction you want to go in. But if you like any part of this approach feel free to use bits of it; I release the patch under jenny’s current LICENCE.

Supporting both kinds of reply in jenny was complicated because each email can only have one Message-Id, and because it’s possible the target twt will not be seen until after the twt referencing it. The following patch uses an sqlite database to keep track of known (url, timestamp) pairs, as well as a separate table of (url, timestamp) pairs that haven’t been seen yet but are wanted. When one of those “wanted” twts is finally seen, the mail file gets rewritten to include the appropriate In-Reply-To header.

Patch based on jenny commit 73a5ea81.

https://www.falsifian.org/a/oDtr/patch0.txt

Not implemented:

• Composing twts using the (replyto …) format.
  
• Probably other important things I’m forgetting.

Hmm…

@lyse@lyse.isobeef.org indeed! There is no “central authority” acting as witness, and notary. The more I think of it… LOL.

@movq@www.uninformativ.de I recognise him, but yes, he has aged quite a bit. I mean, I look at myself in the mirror and can’t, often, recognise myself. Ageing is a bitch! 😅

I mean, really, it couldn’t get any better. I love it!

Image

@movq@www.uninformativ.de perfect in every way. Configurable too! Thank you!

@movq@www.uninformativ.de yes, that’s perfect! <3

@eldersnake@we.loveprivacy.club I wanted to ask you, are you running Headscale and WireGuard on the same VPS? I want to test Headscale, but currently run a small container with WireGuard, and I wonder if I need to stop (and eventually get rid of) the container to get Headscale going. Did you use the provided .deb to install Headscale, or some other method?

@david@collantes.us I think we can!

@prologic@twtxt.net I read it. I understand it. Hopefully a solution can be agreed upon that solves the editing issue, whilst maintaining the cryptographic hash.

e.g: Shutdown yarnd and cp -a yarn.db yarn.db.bak before testing this PR/branch.

Can I get someone like maybe @xuu@txt.sour.is or @abucci@anthony.buc.ci or even @eldersnake@we.loveprivacy.club – If you have some spare time – to test this yarnd PR that upgrades the Bitcask dependency for its internal database to v2? 🙏

VERY IMPORTANT If you do; Please Please Please backup your yarn.db database first! 😅 Heaven knows I don’t want to be responsible for fucking up a production database here or there 🤣

nevermind; I think this might be some changes internally in Go 1.23 and a dependency I needed to update 🤞

Can someone much smarter than me help me figure out a couple of newly discovered deadlocks in yarnd that I think have always been there, but only recently uncovered by the Go 1.23 compiler.

https://git.mills.io/yarnsocial/yarn/issues/1175

Location Addressing is fine in smaller or single systems. But when you’re talking about large decentralised systems with no single point of control (kind of the point) things like independable variable integrity become quite important.

What is being proposed as a counter to content-addressing is called location-addressing. Two very different approaches, both with pros/cons of course. But a local cannot be verified, the content cannot be be guaranteed to be authenticate in any way, you just have to implicitly trust that the location points to the right thing.

For example, without content-addressing, you’d never have been able to find let alone pull up that ~3yr old Twt of me (my very first), hell I’d even though I lost my first feed file or it became corrupted or something 🤣 – If that were the case, it would actually be possible to reconstruct the feed and verify every single Twt against the caches of all of you 🤣

@david@collantes.us I really thinks articles like this explain the benefits far better than I can.

@prologic@twtxt.net I know the role of the current hash is to allow referencing (replies and, thus, threads), and it also represents a “unique” way to verify a twtxt hasn’t been tampered with. Is that second so important, if we are trying to allow edits? I know if feels good to be able to verify, but in reality, how often one does it?

@movq@www.uninformativ.de could it be possible to have compressed_subject(msg_singlelined) be configurable, so only a certain number of characters get displayed, ending on ellipses? Right now the entire twtxt is crammed into the Subject:. This request aims to make twtxts display on mutt/neomutt, etc. more like emails do.

@david@collantes.us Oh ! 🤦‍♂️

@david@collantes.us Witout including the content, it’s no longer really “content addressing” now is it? You’re essentially only addressing say nick+timestamp or url+timestamp.

@prologic@twtxt.net I don’t trust Google with anything, sorry, pass. Oh, and you need to sign in on your Google Account (or whatever they call it these days).