@bender@twtxt.net Big photo capability upgrade?

@aelaraji@aelaraji.com Nice hack! 👌

@bender@twtxt.net I doubt I’ll be able to watch it live 🤣 But by all means, please Yarns all the goodies 😅

@bender@twtxt.net Kind of mirrored the ssh and ssh-keygen utilities. No reason really.

@bender@twtxt.net

$ echo 'hello world' | ./salty -i ./test_ed25519 --ssh-key --sign

@bender@twtxt.net Ahh yeah sorry about that 🤣 You were getting confused between salty.im and salty. The later of which salty.im actually uses and formed the basis of everything else. It’s a simple robust library and command-line tools with good test coverage. The lowest building block 😅

@prologic@twtxt.net excellent, thanks!

@movq@www.uninformativ.de That bad eh? 😅

For example:

$ echo 'hello world' | ./salty -i ./test.key -s | ./salty -i ./test.key -v
# signed by: kex1yfzzthmsdlqhgwzafy9zpjze6a0asxf6y552dp4yhvq66a4jje0qxqapvd
hello world

@bender@twtxt.net Yes of course it can 😅 Sorry I missed your question on IRC 😢

#MaradoWeekly #WeeklyRecord Week 37

Image

@jmjl@tilde.green howdy! Sorry for mistaken you with https://blog.nfld.uk/ (jlj), but glad to connect. Cheers!

@mckinley@twtxt.net To answer some of your questions:

Are SSH signatures standardized and are there robust software libraries that can handle them? We’ll need a library in at least Python and Go to provide verified feed support with the currently used clients.

We already have this. Ed25519 libraries exist for all major languages. Aside from using ssh-keygen -Y sign and ssh-keygen -Y verify, you can also use the salty CLI itself (https://git.mills.io/prologic/salty), and I’m sure there are other command-line tools that could be used too.

If we all implemented this, every twt hash would suddenly change and every conversation thread we’ve ever had would at least lose its opening post.

Yes. This would happen, so we’d have to make a decision around this, either a) a cut-off point or b) some way to progressively transition.

@bender@twtxt.net Holy shit that pod is still alive?! 🤔

@sorenpeter@darch.dk WebFinger requires additional setup that whilsts helps to solve the “identity” problem in an “abstract” way, that extra infra that needs to be setup a) isn’t trivial and b) hard to support on “shared hosting”.

Sharing hosting is also the reason why you can’t just use part of a URL really.

On my blog: Developer Diary, Chrysanthemum Day https://john.colagioia.net/blog/2024/09/09/chrysanthemum.html #programming #project #devjournal

how little data is needed for generating the hashes? Instead of the full URL, can we makedo with just the domain (example.net) so we avoid the conflicts with gemini://, https:// and only http:// (like in my own twtxt.txt) or construct something like like a webfinger id nick@domain (also used by mastodon etc.) from the domain and nick if there, else use domain as nick as well

Where all folks?!

@movq@www.uninformativ.de Peobably not and I wouldn’t expect them to either 😅

But in all seriousness I’ve only ever wanted to improve Twtxt without sacrificing its simplicity too much.

@movq@www.uninformativ.de Sorry haha I didn’t mean for it to sound like that 🤣

@mckinley@twtxt.net Hmmm? Care to elaborate? 🤣

@falsifian@www.falsifian.org tag:twtxt.net,2024-09-08:SHA256:23OiSfuPC4zT0lVh1Y+XKh+KjP59brhZfxFHIYZkbZs? :)

@falsifian@www.falsifian.org

Key rotation

Key rotation is useful for security reasons, but I don’t think it’s necessary here because it’s only used for verifying one’s identity. It’s no different (to me) than Nostr or a cryptocurrency. You change your key, you change your identity.

It makes maintaining a feed more complicated.

This is an additional step that you’d have to perform, but I definitely wouldn’t want to require it for compatibility reasons. I don’t see it as any more complicated than computing twt hashes for each post, which already requires you to have a non-trivial client application.

Instead, maybe…allow old urls to be rotated out?

That could absolutely work and might be a better solution than signatures.

HTTPS is supposed to do

My first thought when reading this was to go to my typical response and suggest we use Nostr instead of introducing cryptography to Twtxt. The more I thought about it, however, the more it made sense.

1. It solves the problem elegantly, because the feed can move anywhere and the twt hashes will remain the same.
   
2. It provides proof that a post is made by the same entity as another post.
   
3. It doesn’t break existing clients.
   
4. Everyone already has SSH on their machine, so anyone creating feeds manually could adopt this easily.
   

There are a couple of elephants in the room that we ought to talk about.

1. Are SSH signatures standardized and are there robust software libraries that can handle them? We’ll need a library in at least Python and Go to provide verified feed support with the currently used clients.
   
2. If we all implemented this, every twt hash would suddenly change and every conversation thread we’ve ever had would at least lose its opening post.

🧮 USERS:1 FEEDS:2 TWTS:1087 ARCHIVED:78676 CACHE:2491 FOLLOWERS:17 FOLLOWING:14

@lyse@lyse.isobeef.org This looks like a nice way to do it.

Another thought: if clients can’t agree on the url (for example, if we switch to this new way, but some old clients still do it the old way), that could be mitigated by computing many hashes for each twt: one for every url in the feed. So, if a feed has three URLs, every twt is associated with three hashes when it comes time to put threads together.

A client stills need to choose one url to use for the hash when composing a reply, but this might add some breathing room if there’s a period when clients are doing different things.

(From what I understand of jenny, this would be difficult to implement there since each pseudo-email can only have one msgid to match to the in-reply-to headers. I don’t know about other clients.)

MNT Pocket Reform: Linux-Powered Mini Laptop with Rockchip RK3588 or Amlogic A311D CPU Modules
The MNT Pocket Reform is now officially available for purchase, following the successful delivery of crowdfunded units via Crowd Supply. This 7″ modular mini laptop offers a range of customization options, making it a suitable option for open-source enthusiasts and developers. Users can select from multiple CPU modules, including the A311D (Banana Pi) and t … ⌘ Read more

NanoPi R3S is a $30 Router Board with Dual GbE and FriendlyWrt OS Support
The FriendlyElec NanoPi R3S is an open-source platform designed for IoT applications such as NAS systems and other network-intensive tasks. The device runs on the FriendlyWrt operating system, which is based on OpenWrt. This compact board is powered by the Rockchip RK3566 SoC, featuring a quad-core ARM Cortex-A55 processor clocked at up to 1.8GHz. It

Six years after my current laptop was purchased, I am going to replace it. The initial cause: one component I cannot find a replacement for - a dilated fan. In the meantime, I also got issues with the keyboard, which a replacement might possibly be found - I didn’t check since the fan issue has no apparent solution.

It is sad that I am being made to replace it before the #RightToRepair European directive was transposed to Portuguese law, but I am still hoping that soon this sort of #ewaste is a thing of the past.

“Fun facts”:

• Laptops account for about 40% of all e-waste generated in the European Union;
  
• Over 90% of a laptop’s environmental impact occurs during the production stage.

LILYGO T3 S3 LR1121: Low-Power LoRa Transceiver for IoT Applications
The LILYGO T3 S3 LR1121 is a development board that supports low-power, long-range wireless communication using LoRa technology. It features the ESP32-S3 System-on-Chip, which offers 2.4 GHz Wi-Fi and Bluetooth Low Energy connectivity, making it suitable for various IoT projects. At the core of the board is the ESP32S3FH4R2 microcontroller, which includes dual-core Xtensa LX7

On my blog: Holding Universal Access to All Knowledge Hostage https://john.colagioia.net/blog/2024/09/08/internet-archive.html #politics #rant

@movq@www.uninformativ.de True 👌

@movq@www.uninformativ.de Tbey all hate me for stomping on their precious dear twtxt 🤣

@lyse@lyse.isobeef.org Hmmm interesting idea 🤔

@movq@www.uninformativ.de Another idea: just hash the feed url and time, without the message content. And don’t twt more than once per second.

Maybe you could even just use the time, and rely on @-mentions to disambiguate. Not sure how that would work out.

Though I kind of like the idea of twts being immutable. At least, it’s clear which version of a twt you’re replying to (assuming nobody is engineering hash collisions).

In fact, maybe your public key idea is compatible with my last point. Just come up with a url scheme that means “this feed’s primary URL is actually a public key”, and then feed authors can optionally switch to that.

@prologic@twtxt.net Some criticisms and a possible alternative direction:

1. Key rotation. I’m not a security person, but my understanding is that it’s good to be able to give keys an expiry date and replace them with new ones periodically.

2. It makes maintaining a feed more complicated. Now instead of just needing to put a file on a web server (and scan the logs for user agents) I also need to do this. What brought me to twtxt was its radical simplicity.

Instead, maybe we should think about a way to allow old urls to be rotated out? Like, my metadata could somehow say that X used to be my primary URL, but going forward from date D onward my primary url is Y. (Or, if you really want to use public key cryptography, maybe something similar could be used for key rotation there.)

It’s nice that your scheme would add a way to verify the twts you download, but https is supposed to do that anyway. If you don’t trust https to do that (maybe you don’t like relying on root CAs?) then maybe your preferred solution should be reflected by your primary feed url. E.g. if you prefer the security offered by IPFS, then maybe an IPNS url would do the trick. The fact that feed locations are URLs gives some flexibility. (But then rotation is still an issue, if I understand ipns right.)

Inside the out feeling

On the Subject of Feed Identities; I propose the following:

1. Generate a Private/Public ED25519 key pair
   
2. Use this key pair to sign your Twtxt feed
   
3. Use it as your feed’s identity in place of # url = as # key = ...
   

For example:

$ ssh-keygen -f prologic@twtxt.net
$ ssh-keygen -Y sign -n prologic@twtxt.net -f prologic@twtxt.net twtxt.txt

And your feed would looke like:

# nick        = prologic
# key         = SHA256:23OiSfuPC4zT0lVh1Y+XKh+KjP59brhZfxFHIYZkbZs
# sig         = twtxt.txt.sig
# prev        = j6bmlgq twtxt.txt/1
# avatar      = https://twtxt.net/user/prologic/avatar#gdoicerjkh3nynyxnxawwwkearr4qllkoevtwb3req4hojx5z43q
# description = "Problems are Solved by Method" 🇦🇺👨‍💻👨‍🦯🏹♔ 🏓⚯ 👨‍👩‍👧‍👧🛥 -- James Mills (operator of twtxt.net / creator of Yarn.social 🧶)

2024-06-14T18:22:17Z	(#nef6byq) @<bender https://twtxt.net/user/bender/twtxt.txt>  Hehe thanks! 😅 Still gotta sort out some other bugs, but that's tomorrows job 🤞
...

Twt Hash extension would change of course to use a feed’s ED25519 public key fingerprint.

@aelaraji@aelaraji.com My work has this thing called “compressed work”, where you can buy extra time off (as much as 4 additional weeks) per year. It comes out of your pay though, so it’s not exactly a 4-day work week but it could be useful, just haven’t tired it yet as I’m not entirely sure how it’ll affect my net pay

@bender@twtxt.net Yes, they do 🤣 Implicitly, or threading would never work at all 😅 Nor lookups 🤣 They are used as keys. Think of them like a primary key in a database or index. I totally get where you’re coming from, but there are trade-offs with using Message/Thread Ids as opposed to Content Addressing (like we do) and I believe we would just encounter other problems by doing so.

My money is on extending the Twt Subject extension to support more (optional) advanced “subjects”; i.e: indicating you edited a Twt you already published in your feed as @falsifian@www.falsifian.org indicated 👌

Then we have a secondary (bure much rarer) problem of the “identity” of a feed in the first place. Using the URL you fetch the feed from as @lyse@lyse.isobeef.org ’s client tt seems to do or using the # url = metadata field as every other client does (according to the spec) is problematic when you decide to change where you host your feed. In fact the spec says:

Users are advised to not change the first one of their urls. If they move their feed to a new URL, they should add this new URL as a new url field.

See Choosing the Feed URL – This is one of our longest debates and challenges, and I think (_I suspect along with @xuu@txt.sour.is _) that the right way to solve this is to use public/private key(s) where you actually have a public key fingerprint as your feed’s unique identity that never changes.

@aelaraji@aelaraji.com Join the club! 🤣 How about more days in a weekend?! 😱 Bringon #FourDayWorkWeek !!! 🤣

@bender@twtxt.net Haha, easy to demonstrate. I’ll start an email thread with myself, then you see if you can join in 🤣

We can also make use of comments in the feed to build support for detecting/declaring Twts(s) were edited in a feed that are ignored by clients that don’t understand the comments. By design clients ignore comments anyway, but the parser we build for yarnd (which I’d love to turn into a C library that others can just import) can do some interesting things here. @xuu@txt.sour.is can probably talk more on this…

I think Email Message-Id(s) only ever worked because typically you are exchanging emails with recipients you know and vice versa. It’s much easier to cope with the problems above, because you just ensure your client preserves the Message-Id. Email is a federated system, but by no means is it “decentralised”. You still have to send your email somewhere, not just post it on a website on your own server like Twtxt 😅

There are some subtitles differences like this that makes Message/Thread Id(s) not really that suitable IMO.

@bender@twtxt.net The problem with the approach Email clients do things is;

• How do you come up with the message/thread id in the first place? I’m pretty sure most clients just use a UUID.
  
• How do you know what you’re replying to if you don’t see the message/thread id in the first place?
  
• How do two different users that don’t know each other, but follow the same feed (say /.) make two independent responses forming a thread? What message/thread id do they use? (see above)

@bender@twtxt.net Sorry, trust was the wrong word. Trust as in, you do not have to check with anything or anyone that the hash is valid. You can verify the hash is valid by recomputing the hash from the content of what it points to, etc.

@falsifian@www.falsifian.org Yes;

I don’t think twtxt hashes are long enough to prevent spoofing.

The current spec needs to be updated to expand the hash length to 11 characters to avoid hash collisions (which will happen at some point with 7, if not already).

The issue isn’t dealing with “spoofing”, it’s about solving how clients in a decentralised model agree on the threading model and identity of a thread. Message ID(s) suffer from the fact that as @movq@www.uninformativ.de points out, clients have to “obey” this unwritten rule, but they’re otherwise just arbitrary. Whereas Twt Hashes (I didn’t come up with the idea originally, some smart fellow in cryptography did) are content addressable, meaning that clients don’t have to agree on anything, they can trust that the hash is a cryptographic representing of the thread they’re replying to, no matter what.

@falsifian@www.falsifian.org I like this idea actually for edits.

@movq@www.uninformativ.de @prologic@twtxt.net Another option would be: when you edit a twt, prefix the new one with (#

@movq@www.uninformativ.de Care to share your thoughts here?

I don’t know what happened behind the scenes that killed off twtxt (I have a few guesses, though), but the sad truth is that it’s gone.

Agreed

@bender@twtxt.net A Fred changed its url metadata field 🤣

On my blog: Free Culture Book Club — Aumyr, part 1 https://john.colagioia.net/blog/2024/09/07/aumyr-1.html #freeculture #bookclub

After unfollowing and refollowing on the new feed URL, I’m now 100% certain this is what happened for @cuaxolotl@sunshinegardens.org 🤣 The real problem is really this:

How do we identify a feed?

It cannot be the URL, because the author could change where they serve it from. This was as “good” as we could get it, but time and time again this has proven to be problematic for, well, a few folks that change their mind, which frankly should be allowed 😅

For supporting edits, I was thinking more along the lines of: If a client edits a Twt already published, it should put the hash of the previous Twt. Something like:

2024-09-05T13:37:40Z   (edit:mp6ox4a) Hello world!

For supporting edits, I was thinking more along the lines of: If a client edits a Twt already published, it should put the hash of the previous Twt. Something like:

2024-09-05T13:37:40+00:00   (edit:mp6ox4a) Hello world!

To be honest, I don’t really see “editing” as a problem. I see that as a natural behavior of “forking” in the first place, that just forms a. new sub-tree. What’s really problematic here is when a feed author changes the “identity” of their feed and changes the # url = metadata field, which is what I believe @cuaxolotl@sunshinegardens.org has just done, though I’m not 100% certain, I’m like 98% sure haha 😝

@lyse@lyse.isobeef.org Did you check your pocket? 🤣

@movq@www.uninformativ.de Sorry but what’s a partial hash exactly? 🤔

@cuaxolotl@sunshinegardens.org Did you recently change the url metdata key of your feed?

# url = https://sunshinegardens.org/~xj9/twtxt/tw.txt

Was this at one point # url = https://sunshinegardens.org/users/xj9/twtxt/tw.txt?

@lyse@lyse.isobeef.org Please for the love of god, elaborate 😅

@lyse@lyse.isobeef.org da fuq?! same here, what did you just reply to?! 🤔

@lyse@lyse.isobeef.org da hell are you replying to?! 🤣

Offline backups currently cost me around ~$2.00 AUD per month.

Spent the day performing backups (hadn’t done it in a while 😱) and wrote a full backup definition internal document that defines my backup process, scope, security, frequency, backup locations, capacity and backup and restoration procedures. Very happy with the doc and the updated (now fully documented) plan and scheduled backup frequency (once per month, which I’ll put into my calendar as it’s done by hand for now, with tools). So far backing up ~410GB out of a possible ~12.8TB worth of data in two locations – I deliberately don’t backup everything as much of the data can be re-created (music, videos, tv shows, etc). #Backups #Data

RDK X3 Development Board: Raspberry Pi 4B Form Factor with 5TOPs BPU
The D-Robotics RDK X3 Development Board, recently showcased by Waveshare, is a versatile platform designed for edge AI applications, offering a powerful combination of processing and inference capabilities. The board comes in a form factor similar to the Raspberry Pi 4B, including a 40-pin GPIO for easy expansion. According to the product page, the board

I’ll share my opinion on this later 🤣

What do we think about this? 😅

Swa this pop up in my Github news feed today 🤔 Which links to https://github.com/musingstudio/go-subclub

A Go (golang) library for interacting with the sub.club API.

So I got curious and had a peek 👀

Let’s fund the Fediverse

Posting or hosting on the open social networks no longer means you have to do it for free. Developer Preview now available.

And further down:

Monetize your feeds

If you post quality content and you’ve developed a loyal audience, you should be able to ask your most passionate followers to support you with a premium subscription.

That’s a promise not available on the Fediverse …until now.

Hmmm 🤔

@slashdot@feeds.twtxt.net I can only see a mass exodus of uses fleeing telegram as the service becomes less secure or less privacy focused and basically more shit.

@quark@ferengi.one cheers 🍻

it might have made sense in the days of hose and buggy and smoke signals to centralise everything, but these days we have a globalized interconnected society with fast transport and communications. There is no reason for this model anymore 🤣

@slashdot@feeds.twtxt.net Can we please stop this whole “Back to the Office” garbage nonsense?! 😱 If a job does not require the physical presence of a person(s) to perform their role, or they are not “customer facing” or in a job that’s required to “serve the public”, let’s just stop this utter nonsense. As much as I want my shares in Cromwell to go up, I really don’t care. Let the corporate office buildings burn to the ground for all I care, turn them into cheap housing estates or apartments. Why we ever thought centralizing in once place to live and work is beyond me 🤦‍♂️

@cuaxolotl@sunshinegardens.org No you’re not the only one. I do this too, I often think about a problem in my head, even imagine the code, sometimes for weeks, hell even months, before I even write a line of code 🧑‍💻

@lyse@lyse.isobeef.org Thankfully it’s quite cool here so far 👌

On my blog: Toots 🦣 from 09/02 to 09/06 https://john.colagioia.net/blog/2024/09/06/week.html #linkdump #socialmedia #quotes #week

Telegram Disables ‘Misused’ Features As CEO Faces Criminal Charges
Following the arrest of its CEO Pavel Durov last month, the encrypted messaging service said it has disabled some “outdated” and “misused” features used by anonymous users. The Verge reports: The first changes to the app following his arrest in France last month affect its built-in blog posts and a “People Nearby” location-based feature.

Telegram Disables ‘Misused’ Features As CEO Faces Criminal Charges
Following the arrest of its CEO Pavel Durov last month, the encrypted messaging service said it has disabled some “outdated” and “misused” features used by anonymous users. The Verge reports: The first changes to the app following his arrest in France last month affect its built-in blog posts and a “People Nearby” location-based feature.

One can tell the weekend is fast approaching, as things around these parts tend to slow down then. Cheers everyone! :-)

Je cherche un espace où publier une sorte de blog. Juste du texte. Un truc comme faisait rawtext.club ou midnight.pub, mais qui accepte les nouvelles inscriptions. Vous auriez des suggestions? #smolweb

PwC ‘Tipping the Balance’ of Hybrid Working and Will Start Tracking Its Workers’ Locations
PwC has demanded staff spend less time working from home – and it’s going to start tracking their location to ensure they comply. From a report: The accountancy firm informed its 26,000 U.K. employees in a memo that from January they’ll be expected to be at their desks – or with clients – at leas … ⌘ Read more