Taking the last n characters of a base32 encoded hash instead of the first n can be problematic for several reasons:

1. Hash Structure: Hashes are typically designed so that their outputs have specific statistical properties. The first few characters often have more entropy or variability, meaning they are less likely to have patterns. The last characters may not maintain this randomness, especially if the encoding method has a tendency to produce less varied endings.

2. Collision Resistance: When using hashes, the goal is to minimize the risk of collisions (different inputs producing the same output). By using the first few characters, you leverage the full distribution of the hash. The last characters may not distribute in the same way, potentially increasing the likelihood of collisions.

3. Encoding Characteristics: Base32 encoding has a specific structure and padding that might influence the last characters more than the first. If the data being hashed is similar, the last characters may be more similar across different hashes.

4. Use Cases: In many applications (like generating unique identifiers), the beginning of the hash is often the most informative and varied. Relying on the end might reduce the uniqueness of generated identifiers, especially if a prefix has a specific context or meaning.

In summary, using the first n characters generally preserves the intended randomness and collision resistance of the hash, making it a safer choice in most cases.

@quark@ferengi.one Do you mean something like this?

$ ./yarnc debug ~/Public/twtxt.txt | tail -n 1
kp4zitq 2024-09-08T02:08:45Z	(#wsdbfna) @<aelaraji https://aelaraji.com/twtxt.txt> My work has this thing called "compressed work", where you can **buy** extra time off (_as much as 4 additional weeks_) per year. It comes out of your pay though, so it's not exactly a 4-day work week but it could be useful, just haven't tired it yet as I'm not entirely sure how it'll affect my net pay

So yeah no, whilst it technically works, neither jenny nor yarnd support it very well. Only at a very basic level.

@bender@twtxt.net I should put the template that is used by default as a file in the repo. Look at the source for now and you’ll see 😅

Just that yarnd (at least) doesn’t support creating such a custom TwtSubject, but it will reply and respect and thread one if one was constructed.

@aelaraji@aelaraji.com I just added support for passing a custom template file via -T/--template in case you need a custom template 👌

prologic@JamessMacStudio
Wed Sep 18 01:27:29
~/Projects/yarnsocial/twtxt2html
 (main) 130
$ ./twtxt2html --help
Usage: twtxt2html [options] FILE|URL

twtxt2html converts a twtxt feed to a static HTML page
  -d, --debug             enable debug logging
  -l, --limit int         limit number ot twts (default all) (default -1)
  -n, --noreldate         do now show twt relative dates
  -r, --reverse           reverse the order of twts (oldest first)
  -T, --template string   path to template file
  -t, --title string      title of generated page (default "Twtxt Feed")
  -v, --version           display version information
pflag: help requested

@aelaraji@aelaraji.com Btw, I’m also open to ideas for this tool and welcome any contributions 👌

This scheme also only support threading off a specific Twt of someone’s feed. What if you’re not replying to anyone in particular?

@quark@ferengi.one We will fix this soon™ 🔜

@aelaraji@aelaraji.com So what is it about @sorenpeter@darch.dk’s feed that’s screwed with your client? (Jenny?) 🤔 Kind of curious now 🤣

IMO we just have to fix the identity problem and figure out how to detect or support edits.

@mckinley@twtxt.net To answer some of your questions:

Are SSH signatures standardized and are there robust software libraries that can handle them? We’ll need a library in at least Python and Go to provide verified feed support with the currently used clients.

We already have this. Ed25519 libraries exist for all major languages. Aside from using ssh-keygen -Y sign and ssh-keygen -Y verify, you can also use the salty CLI itself (https://git.mills.io/prologic/salty), and I’m sure there are other command-line tools that could be used too.

If we all implemented this, every twt hash would suddenly change and every conversation thread we’ve ever had would at least lose its opening post.

Yes. This would happen, so we’d have to make a decision around this, either a) a cut-off point or b) some way to progressively transition.

On the Subject of Feed Identities; I propose the following:

1. Generate a Private/Public ED25519 key pair
   
2. Use this key pair to sign your Twtxt feed
   
3. Use it as your feed’s identity in place of # url = as # key = ...
   

For example:

$ ssh-keygen -f prologic@twtxt.net
$ ssh-keygen -Y sign -n prologic@twtxt.net -f prologic@twtxt.net twtxt.txt

And your feed would looke like:

# nick        = prologic
# key         = SHA256:23OiSfuPC4zT0lVh1Y+XKh+KjP59brhZfxFHIYZkbZs
# sig         = twtxt.txt.sig
# prev        = j6bmlgq twtxt.txt/1
# avatar      = https://twtxt.net/user/prologic/avatar#gdoicerjkh3nynyxnxawwwkearr4qllkoevtwb3req4hojx5z43q
# description = "Problems are Solved by Method" 🇦🇺👨‍💻👨‍🦯🏹♔ 🏓⚯ 👨‍👩‍👧‍👧🛥 -- James Mills (operator of twtxt.net / creator of Yarn.social 🧶)

2024-06-14T18:22:17Z	(#nef6byq) @<bender https://twtxt.net/user/bender/twtxt.txt>  Hehe thanks! 😅 Still gotta sort out some other bugs, but that's tomorrows job 🤞
...

Twt Hash extension would change of course to use a feed’s ED25519 public key fingerprint.

@bender@twtxt.net Yes, they do 🤣 Implicitly, or threading would never work at all 😅 Nor lookups 🤣 They are used as keys. Think of them like a primary key in a database or index. I totally get where you’re coming from, but there are trade-offs with using Message/Thread Ids as opposed to Content Addressing (like we do) and I believe we would just encounter other problems by doing so.

My money is on extending the Twt Subject extension to support more (optional) advanced “subjects”; i.e: indicating you edited a Twt you already published in your feed as @falsifian@www.falsifian.org indicated 👌

Then we have a secondary (bure much rarer) problem of the “identity” of a feed in the first place. Using the URL you fetch the feed from as @lyse@lyse.isobeef.org ’s client tt seems to do or using the # url = metadata field as every other client does (according to the spec) is problematic when you decide to change where you host your feed. In fact the spec says:

Users are advised to not change the first one of their urls. If they move their feed to a new URL, they should add this new URL as a new url field.

See Choosing the Feed URL – This is one of our longest debates and challenges, and I think (_I suspect along with @xuu@txt.sour.is _) that the right way to solve this is to use public/private key(s) where you actually have a public key fingerprint as your feed’s unique identity that never changes.

@bender@twtxt.net Sorry, trust was the wrong word. Trust as in, you do not have to check with anything or anyone that the hash is valid. You can verify the hash is valid by recomputing the hash from the content of what it points to, etc.

Anyone had any intereractions with @cuaxolotl@sunshinegardens.org yet? Or are they using a client that doesn’t know how to detect clients following them properly? Hmmm 🧐

It’s a really good time to invest in nVIDIA shares 🤣

@lyse@lyse.isobeef.org errors are already reported to users, but they’re only visible in the following list.

Does anyone know what the differences between HTTP/1.1 HTTP/2 and HTTP/3 are? 🤔

@falsifian@www.falsifian.org by the way, on the last Saturday of every month, we generally hold a online video call/social meet up, where we just get together and talk about stuff if, you’re interested in joining us this month.

@falsifian@www.falsifian.org You need an Avatar 😅

It’s also (expectedly) in the feed file on disk:

2024-08-04T21:22:05+10:00	[foo][foo=][foo][foo=]

@bender@twtxt.net / @mckinley@twtxt.net could you both please change your password immediately? I will also work on some other security hardening that I have a hunch about, but will not publicize for now.

A equivalent yarnc debug <url> only sees the 2nd hash

@aelaraji@aelaraji.com Ahh it might very well be a Clownflare thing as @lyse@lyse.isobeef.org eluded to 🤣 One of these days I’m going to get off Clownflare myself, when I do I’ll share it with you. My idea is to basically have a cheap VPS like @eldersnake@we.loveprivacy.club has and use Wireguard to tunnel out. The VPS becomes the Reverse Proxy that faces the internet. My home network then has in inbound whatsoever.

@lyse@lyse.isobeef.org Ahh so it’s not just me! 😅

Hmmm I’m a little concerned, as I’m seeing quite a few feeds I follow in an error state:

I’m not so concerned with the 15x context deadline exceeded but more concerned with:

aelaraji@aelaraji.com  Unfollow (6 twts, Last fetched 5m ago with error:
dead feed: 403 Forbidden
x4 times.)

And:

anth@a.9srv.net  Unfollow (1 twts, Last fetched 5m ago with error:
Get "http://a.9srv.net/tw.txt": dial tcp 144.202.19.161:80: connect: connection refused
x3733 times.)

Hmmm, maybe the stats are a bit off? 🤔

Anyway, I’m gonna have to go to bed… We’ll continue this on the weekend. Still trying to hunt down some kind of suspected mult-GB avatar using @stigatle@yarn.stigatle.no ’s pod’s cache:

$ (echo "URL Bytes"; sort -n -k 2 -r < avatars.txt | head) | column -t
URL                                                                                                       Bytes
https://birkbak.neocities.org/avatar.jpg                                                                  667640
https://darch.neocities.org/avatar.png                                                                    652960
http://darch.dk/avatar.png                                                                                603210
https://social.naln1.ca/media/0c4f65a4be32ff3caf54efb60166a8c965cc6ac7c30a0efd1e51c307b087f47b.png        327947
...

But so far nothing much… Still running the search…

@abucci@anthony.buc.ci / @abucci@anthony.buc.ci Any interesting errors pop up in the server logs since the the flaw got fixed (unbounded receieveFile())? 🤔

@stigatle@yarn.stigatle.no / @abucci@anthony.buc.ci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed’s preamble (metadata). I’d love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

@stigatle@yarn.stigatle.no Works now! 🥳

Some bad code just broke a billion Windows machines - YouTube – This is a really good accurate and comical take on what happened with this whole Crowdstrike global fuck up.

@xuu@txt.sour.is I have a theory as to why your pod was misbehaving too. I think because of the way you were building it docker build without any --build-arg VERSION= or --build-arg COMMIT= there was no version information in the built binary and bundled assets. Therefore cache busting would not work as expected. When introducing htmx and hyperscript to create a UI/UX SPA-like experience, this is when things fell apart a bit for you. I think….

I’ve been thinking about a new term I’ve come across whilst reading a book. It’s called “Complexity Budget” and I think it has relevant in lots of difficult fields. I specifically think it has a lot of relevant in the Software Industry and organizations in this field. When doing further research on this concept, I was only able find talks on complexity budget in the context of medical care, especially phychiratistic care. In this talk it was describe as, complexity:

• Complexity is confusing
  
• Complexity is costly
  
• Complexity kills
  

When we think of “complexity” in terms of software and software development, we have a sort-of intuitive about this right? We know when software has become too complex. We know when an organization has grown in complexity, or even a system. So we have a good intuition of the concept already.

My question to y’all is; how can we concretely think about “Complexity Budget” and define it in terms that can be leveraged and used to control the complexity of software dns ystems?

Can anyone recommend and/or vouch for a Chrome/browser extension that lets me write rewrite rules for arbitrary links on a page? e.g: s/(www\.)?youtube.com\/watch?v=([^?]+)/tubeproxy.mills.io/play/\1 for example? 🤔

@johanbove@johanbove.info Have you played with htmx at all? 🤔

prologic/tunesnap: tunesnap is a web application for downloading, extracting and encoding the audio tracks of videos into downloadable audio. - tunesnap - Mills

Should I just code in a work-around? If the Referer is /post then consider that total bullshit, and ignore? 🤔

@bender@twtxt.net Hmmmm I’m not sure about this… 🧐 Does anyone have any other opinions that know this web/session security better than me?

👋 If y’all notice any weird quirks or UI/UX bugs of late on my pod, please let me know! 🙏 For those that have a Javascript enabled web browser will notice (hopefully) a SPA (single page app) like experience, even in Mobile! No more full page refreshes! All this without writing a single line of Javascript (let alone React or whatever) 😅 – HTMX is pretty damn cooL! 😎 #htmx

Thinking about how to programmatically manage what’s displayed on the Front page / Discover view…

Today we have the two optinos:

• Local posts only
  
• All posts in cache
  

I’m thinking of additional checkbox (on|off) options such as:

• Latest post per feed
  

Any other ways we can manage this a bit better? 🤔

What’s that thing called when everyone on a social media platform (hardly matters which one) all post the same sort of thing. It all sounds oh so wonderful, or all so dramatic, everyone claps and cheers and thumbs up or whatever. What’s that thing called? There’s a term for it hmmm 🧐

👋 Okay folks, let’s startup the Yarn.social calls again.

• Event: Yarn.social Online Meetup
  
• When: 25th May 2024 at 12:00pm UTC (midday)
  
• Where: Mills Meet : Yarn.social
  
• Cadence: 4th Saturday of every Month
  

Agenda:

Anything we want to talk about. Twtxt, Yarn, self hosting, cool stuff you’ve been working on. chit-chat, whatever 😅

#Yarn.social #Meetup

I think multi-user pods were a mistake.

@bendwr and I discussing something along the lines of: I.e: How to deal with or reduce noise from legacy feeds.

Been clearing out my pod a bit and blocking unwanted domains that are basically either a) just noise and/or b) are just 1-way (whose authors never reply or are otherwise unaware of the larger ecosystem)

Let me know if y’all have any other candidates you’d like me to add to the blocked domain list?

</> htmx - high power tools for html really liking the idea of htmx 🤔 If I don’t have to learn all this complicated TypeScript/React/NPM garbage, I can just write regular SSA (Server-Side-Apps) and then progressively upgrade to SPA (Single-Page-App) using htmx hmmm 🧐

Why don’t more people borrow to invest and increase their portfolio and wealth? 🤔

So what do we think of the Reddit IPO? 🤔

@bender@twtxt.net That’s what I also don’t understand. What is driving all this pierced hate and ignorance in the world lately?!

wat da fuq does being “woke” even mean?! 🤦‍♂️

Update on my Fibre to the Premise upgrade (FTTP). NBN installer came out last week to install the NTD and Utility box, after some umming and arring, we figured out the best place to install it. However this mean he wasn’t able to look it up to the Fibre in the pit, and required a 2nd team to come up and trench a new trench and conduit and use that to feed Fibre from the pit to the utility box.

I rang up my ISP to find out when this 2nd team was booked, only to discover to my horror and the horror of my ISP that this was booked a month out on the 2rd Feb 2024! 😱

After a nice small note from my provider to NBN, suddenly I get a phone call and message from an NBN team that do trenching to say it would be done on Saturday (today). That got completed today (despite the heavy rain).

Now all that’s left is a final NBN tech to come and hook the two fibre pieces together and “light it up”! 🥳

Feedback on why I didn’t choose Mattermost (lack of OIDC) · mattermost/mattermost · Discussion – My discussions/feedback on Mattermost’s decision to have certain useful and IMO should be standard features as paid-for features on a per-seat licensed basis. My primary argument is that if you offer a self-host(able) product and require additional features the free version does not have, you should not have to pay for a per-seat license for something you are footing the bill for in terms of Hardware/Compute and Maintenance/Support (havintg to operate it).

Hope you have a good holidays folks 👋 Merry xmas to those that celebrate that 🎅 and happy holidays 🏖️

@johanbove@johanbove.info With pygame or something else? 🤔

Day 3 of #AdventOfCode puzzle 😅

Let’s go! 🤣

Come join us! 🤗

👋 Hey you Twtxters/Yarners 👋 Let’s get a Advent of Code leaderboard going!

Join with 1093404-315fafb8 and please use your usual Twtxt feed alias/name 👌

Twtxt/Yarn AoC > Leaderboard

Day 2, Part 1 and Day 2, Part 2 of #AdvenOfCode all done and dusted 😅

~22h to go for the 3rd #AdventOfCode puzzle (Day 3) 😅

Come join us!

👋 Hey you Twtxters/Yarners 👋 Let’s get a Advent of Code leaderboard going!

Join with 1093404-315fafb8 and please use your usual Twtxt feed alias/name 👌

Twtxt/Yarn AoC > Leaderboard

Starting Advent of Code today, a day late but oh well 😅 Also going to start a Twtxt/Yarn leaderboard. Join with 1093404-315fafb8 and please use your usual Twtxt feed alias/name 👌

Bah we’ve caught COVID again 🤯

@slashdot@feeds.twtxt.net I feel like this is a bit of a common pattern? Company builds an awesome product, makes it free for a lot of users, then create additional features and paid plans, makes a tonne of money. But then later decide they need to make more money, so focus on converting the free users to paid users. Hmmm 🤔 Surely this can’t be the only viable business model? 🤔

wtf is going on with Microsoft and OpenAI of late?! LIke Microsoft bought into OpenAI for some shocking $10bn USD, then Sam Altman gor fired, now he’s been hired by Microsoft to run up a new “AI” division. wtf/! seriously?! 🤔 #Microsoft #OpenAI #Scandal

So Youtube rea really cracking down on Ad-blockers. The new popup is a warning saying you can watch 3 videos before you can watch no more. Not sure for how long. I guess my options are a) wait for the ad-blockers to catch-up b) pay for Youtube c) Stop using Youtube.

I think I’m going with c) Stop using Youtube.

The Unreasonable Effectiveness Of Plain Text - YouTube – This is very good 👌

I’m telling ya guys 😅 plex.tv had way better shit™, Get it installed on your own server, get access to free content + your own + whatever and no stupid tracking and bullshit 🤣

Oh okay, so Youtube is cracking down on “Ad Blockers”. Rightio. 🤔 And paying for Youtube Premium costs $14/month?! 🤯 Get fucked 🤣 I guess I won’t be using Youtube anymore. #Youtube #Ads #Premium #Suck

I added the Yarn Desktop Client and Goovy Twtxt to the landing page for Yarn.social

cc @mckinley@twtxt.net @stigatle@yarn.stigatle.no

Need to share something with your smart phone?

qrcode "$(pbpaste)" | open -a Preview.app -f

Hmm when I said “Wireguard is kind of cool” in this twt now I’m not so sure 😢 I can’t get “stable tunnels” to freak’n stay up, survive reboots, survive random disconnections, etc. This is nuts 🤦‍♂️

fractalnetworksco/selfhosted-gateway: Route HTTPS traffic to local Docker containers through a cloud VPS over WireGuard. Ideal for self-hosting behind CGNAT.

@eapl.me@eapl.me Hmmm interesting 🤔 Your trying to use 2FA as passwords? 🤔

What if I run my Gitea Actions Runners on some Vultr VM(s) for now? At least until I get some more hardware just for a “build farm” 🤔

Just been playing around with some numbers… A typical small static website or blog could be run for $0.30-$0.40 USD/month. How does that compare with what you’re paying @mckinley@twtxt.net ? 🤔

@stigatle@yarn.stigatle.no Btw… I haven’t forgotten your ask of documenting the “Upload Media” API. I’m actually trying to work out how da fuq it even works myself 🤦‍♂️

Hmm need to figure out a way to squelch the size of my pod’s data directory 🤔

ASCIIFlow This is kind of cool 😅

\\--------\\
|\\       |\\
| \\------+--\\
|  |      |   |
|  |      |   |
|  |      |   |
\--+------\\  |
\\\|       \\\|
  \\---------\|

I’ve been thinking in the back of my mind for a while now, that the Yarn.social / twtxt + ActivityPub integration was a mistake and a. bad idea. I’m starting to consider it a complete failure.

Even’n all 👋

Home | Tabby This is actually pretty cool and useful. Just tried this on my Mac locally of course and it seems to have quite good utility. What would be interesting for me would be to train it on my code and many projects 😅

James Mills - vDSL2 sucks NBN sucks Copper sucks

Milk-V This is pretty cool! 👌 RISC-V is coming along nicely 🤞

How do you teach someone to have self confidence? 🤔

@xuu@txt.sour.is What about the Cluster on a mini ITX board with Raspberry Pi and Nvidia Jetson

(2) Jordan Peterson: “Meghan Markle GRATES On Me!” - YouTube

Gah apparently I’ve gone and finally caught the wretched COVID virus 😢

‘You Just Lied’: Elon Musk Slaughters BBC Reporter In Live Interview - YouTube As much as I don’t hold a very high opinion of Elon Musk (and to be fair I don’t actually know him all that well, only what I’ve read about him and observed), this particular video however is quite hilarious. This (ignoring the Twitter™ nonsense) is hilariously funny and quite on point. “Who decides whether its misinformation anyway?” And “You can’t even provide one example” Haha 🤣

PS: Don’t read too much in my posting this 😅

💡 Quick ‘n Dirty prototype Yarn.social protocol/spec:

If we were to decide to write a new spec/protocol, what would it look like?

Here’s my rough draft (back of paper napkin idea):

• Feeds are JSON file(s) fetchable by standard HTTP clients over TLS
  
• WebFinger is used at the root of a user’s domain (or multi-user) lookup. e.g: prologic@mills.io -> https://yarn.mills.io/~prologic.json
  
• Feeds contain similar metadata that we’re familiar with: Nick, Avatar, Description, etc
  
• Feed items are signed with a ED25519 private key. That is all “posts” are cryptographically signed.
  
• Feed items continue to use content-addressing, but use the full Blake2b Base64 encoded hash.
  
• Edited feed items produce an “Edited” item so that clients can easily follow Edits.
  
• Deleted feed items produced a “Deleted” item so that clients can easily delete cached items.
  

#Yarn.social #Protocol #Ideas

Given the continued hostility of jam6 and buckket over Yarn’a use of Twtxt (even after several years! 😱) I am continuing to face hard decisions.

I am not sure what to do about this. 🤔 I am quite confident that the hostility and sentiment is not held by all Twtxt users past and present 😢

This is a case of a few upset purists who prefer to mock, shame and behave passive aggressively instead of contributing to a healthy discussion and ecosystem.

I am uncertain what Yarn should do here 😢

Tailscale · Best VPN Service for Secure Networks - Anyone know anything about Tailscale? Used it? Recommend it? How does it stack up in terms of actual secure networking and VPN access to your infra? Can it be trusted

I notice it uses WirGuard™ and is actually written in Go 😅

slides/go-generics.md at main - slides - Mills – I’m presenting this tomorrow at work, something I do every Wednesday to teach colleagues about Go concepts, aptly called go mills() 😅

julien040/gut: An easy-to-use git client for Windows, macOS, and Linux

Q: Is anyone actually finding the activitypub experimental feature I’ve been working on (for those running main) actually useful? 🤔 (because I’m not and having second thoughts…)

Imagine having this wrapped around your head 😱

@stigatle@yarn.stigatle.no I don’t think this is working very well tonight for some reason 😅

👋 Hey y’all yarners 🤗 – @darch@neotxt.dk and I have been discussing in our Weekly Yarn.social call (still ongoing… come join us! 🙏) about the experimental Yarn.social <-> Activity Pub integration/bridge I’ve been working on… And mostly whether it’s even a good idea at al, and if we should continue or not?

There are still some outstanding issues that would need to be improved if we continued this regardless

Some thoughts being discussed:

• Yarn.social pods are more of a “family”, where you invite people into your “home” or “community”
  
• Opening up to the “Fedivise” is potentially “uncontrolled”
  
• Even at a small scale (a tiny dev pod) we see activities from servers never interacted with before
  
• The possibility of abuse (because basically anything can POST things to your Pod now)
  
• Pull vs. Push model polarising models/views which whilst in theory can be made to work, should they?
  

Go! 👏

So who currently is running main or edge of Yarn.social’s yarnd on their pod and has activitypub and webfinger enabled? 🤔

I’ll be available on video for the next couple of hours, if anyone wants to join:

https://meet.mills.io/call/Yarn.social

This is the GraphQL compiler complaining right? 🤔

Sometimes being in a webinar with Google™ engineers makes you feel quite dumb and that you just realise how much you don’t know 🤣

📣 Update on Activity Pub: Just a quick update on the Yarn.social <-> Activity Pub (aka Mastodon and others):

• Can follow other Activity Pub actors ✅
  
• Can be followed by other Activity Pub actors ✅
  
• Your posts can be seen by Activity Pub actors ✅
  
• You can see posts from Activity Pub actors ✅
  

What does not yet work:

• Translating replies (aka threading) ❌