@kaniini There are a couple of good points in here, but this is a really cynical take on AP.

I'd agree it has some blindspots that need to be addressed, but lines such as "In an ideal world, the number of ActivityPub implementations would be zero." is pure hyperbole.

Further I would give it more deference if it presented a viable option as opposed to "this is bad, but I don't know how to do it better"

We gotta do better than this if we are to push forward.

@Are0h That's part of the upcoming series. And it's kinda been hinted at on their timelines (leveraging facets of Zot's apporach, using capability URIs vs implied actions, etc) @kaniini

@jalcine Aight, cool. Hopefully will get better because this isn't a great start.

There are some salient points about security that I absolutely agree with, but most of it just seems like editorializing.

I'd rather see problems identified and then explorations of possible ways to improve.

But I guess they're saving that for later. I hope.


@Are0h @kaniini @jalcine

well, this was meant to be kind of an explanatory post of what my present world view is on activitypub, having spent a year basically bringing up an AP implementation from scratch, and working in a codebase which built on AS2 with some elements of AP as a data model.

so it basically *is* editorializing on the topic.

the next blog post in that series that i'm working out in my head actually has to do with what a merged AP + Zot6 type protocol might look like, and what is good and bad about that. it will also attempt to explain in detail why tying personal identity and cryptographic tokens together is fundamentally unwise (although my post about Blind Key Rotation went into some explanation on why that is unwise too), and introduce a construction of capability URIs and proof responses as an alternative.

@kaniini @kaniini @jalcine

Yeah I know. I just think that's a poor way of going about it.

The proliferation of AP is providing a real opportunity for us to not only think about how we communicate but more effective ways to do it, a couple of which you name, which is cool.

I'm so down w/ the protocol being changed in a way that makes it better, but saying we shouldn't be using it at all is step backwards.

Cool. I'll wait for that. I really want to see viable options. Especially if they work

@Are0h @jalcine @kaniini I think one challenge we have to think about here is how we might be able to positively affect future versions of the protocol spec.

For better or for worse, this whole thing sits in the realm of WC3, and in some ways is the byproduct of attempting to please the multiple groups that populated the SocialWG. You've got Linked Data and IndieWeb people shoehorned into the same space as fedi developers, and many members of the group representing corporate entities that might be interested in a narrow application of it.

So far, the process for advancing the protocol to a new version that is, for example, aware of the notion of OCAP, is largely undefined beyond writing a whitepaper, putting out a CFP, and hoping other people in the space will adopt it.

@sean @kaniini @jalcine AP is popular because it's simple and it works. I absolutely agree the design isn't perfect because it does have some gaping holes, but as a protocol framework, it's really solid.

I say we build on that rather than lamenting the fact an imperfect idea is getting traction.

With all of these big brains floating around the fediverse, I know we can do better than 'this is bad, but I don't know the answer'.

This is such an opportunity to set a positive tone moving forward.

This. The challenge of federation is social, not technical. It's a much better situation to have an imperfect protocol that everyone uses than to endlessly iterate - every fork of the shared protocol splinters the network and gets us further away from the dream of an open, connected web.
@sean @kaniini @jalcine


@jdormit @Are0h @sean @kaniini Forking and splintering won't be too much of an issue with tight collaboration amongst projects and that's something the Fediverse has been pretty okay-ish at thus far. It's not like we're relying on a company to define things for us - it's people-driven

Sure, but what are the chances that competing protocols will actually maintain compatibility with each other? The web is built on a stack of shared protocols - imagine if every website didn't use HTTP! ActivityPub is a 90% solution, and I think the last 10% can be built on top of it without breaking compatibility.

@Are0h @sean @kaniini

@jdormit @jalcine @Are0h @sean @kaniini I think AP is under-specced primarily due to constraints impose by W3C (time and otherwise) and a desire to formally pin down as much as possible while Mastodon was ploughing ahead with its implementation to minimize the risk of it rolling out too many bad ideas ad-hoc. I think Chris (Webber, co-editor of AP) is aware of the gaps and interested in seeing them filled. For example mentioning OCAP here: dustycloud.org/blog/spritely/

@msh @sean @Are0h @jalcine @jdormit

Mastodon indeed has caused some minor damage with their AP implementation by moving too quickly, but I think it's minimal compared to the overall under-specification that has occured.

It should also be noted that Mastodon's damage is also in part because Gargron and company were given bad security advice by the W3C Social CG.

The fact that we have to push for a mitigation in the form of rotating keys due to Mastodon's decision to adopt the highly flawed LDSigs signature scheme is an example of the damage caused by moving too quickly.

But we are moving towards mitigating those problems with Blind Key Rotation.

Of course, in an ideal world, no implementation would use LDSigs, and maybe we will eventually convince people to stick to constructions which make sense instead of just copying what Mastodon does.

But here's the thing, Chris wants to move away from technologies that work and towards the experimental stuff. I wish him all the best, but we need to ship things which people can believe in wrt trust & safety, and where we're at right now is not so great for that. I think before we start integrating I2P and DAT we should talk about getting the fundamentals right.

@jdormit @Are0h @jalcine @sean

I agree Mastodon itself has shown good restraint in only causing "minor damage" considering its out sized influence. That said Eugen seemed to be a bit of a catalyst in pulling such advice out of Social CG. It's good and bad in different ways.

Chris is this deep thinker and I think tried to make sure AP was flexible enough to address future concerns, but is the antithesis of Eugen who forges ahead to scratch itches. @kaniini seems to provide balance.

@msh @jdormit @jalcine @sean And just to piggy back on this comment, if it turns out that what Masto is becoming is not conducive to the changes that need to be made to AP, I will abandon it in a _heartbeat_.

Popularity shouldn't be the defining factor of the what the protocol should be. Stability and security has gotta be at the core of it. That's something I hard agree with @kaniini on

@jdormit @sean @Are0h @jalcine

ActivityPub is a more like a 75% solution, not a 90% solution. Maybe from the perspective of syndicating blogs it is a 90% solution, but from the perspective of interconnecting communities, there are many problems: abuse mitigation (which cause strife between users and admins and between instances), broken signature schemes (which endanger activists), lack of deniability (big oof for marginalized people), the lack of being able to directly define what interactions you want with your posts, etc.

Yes, absolutely we can get there, but it's not a "90% solution". There are significant parts of the protocol that need to be revisited and retrofitted with security features.

@kaniini @jdormit @jalcine @sean So let's do that rather than quibble over subjective interpretations of how close we are to a solution.

Whether it's 75% or 90%, we can agree it's getting us closer to where we need to be.

That's a point of common ground we can all work from.

Sign in to participate in the conversation
Social @ PV

Social is the primary social media platform for the forth coming fourth version of Play Vicious, a new initiative built to bring attention to the plethora of creative acts that don't get the shine they deserve.
For more details about the project and how to support, go here.