Main Keyoxide dev here. That's an interesting suggestion, could be very useful! I don't have much experience with Open VSX or VS Code Marketplace. Do they have APIs for accounts?
I'm not affiliated with either, but from looking at some of the extension pages on Open VSX it appears they use GitHub accounts exclusively for publishers—so that part is already handled by the existing GitHub/Keyoxide integration. For VS Code Marketplace, the publisher pages do include a description section which could be used for the identity proof but there doesn't seem to be a (documented) REST API.
Hi there, I took a look at your site home page and docs, and still can't figure out what it is, or why someone would want to use it. Do you have a link to a 10,000 foot overview / simple use-case explanation, for a short-bus person such as myself?
"Keyoxide allows you to prove "ownership" of accounts on websites, domain names, IM, etc., regardless of your username.
That last part is important: you could, for example, be 'alice' on Lobste.rs, but '@alice24' on Twitter. And if your website is 'thatcoder.tld', how are people supposed to know that all that online property is yours?
Of course, one could opt for full anonymity! In which case, keep these properties as separated as possible.
But if you'd like these properties to be linked and, by doing so, establish an online identity, you'll need a clever solution.
Enter Keyoxide.
When you visit someone's Keyoxide profile and see a green tick next to an account on some website, it was proven beyond doubt that the same person who set up this profile also holds that account."
Thank you. That's easy enough to understand, even for me ;-) The only piece that might use a bit more illumination, is what kind of people are likely to use Keyoxide to check on your proof of ownership once you've set it up, and why they would do so.
No, no, no, no, no, let's not go there. Small independent hosters is a more compelling solution.
Yes, our culture is perfectly capable of delivering essential (and nonessential but nonetheless everyday) services through regulated private independent companies. Typically some sort of exclusive license is granted, yet to maintain that license certain standards must be adhered to. You can see a dozen examples of this on any high street, any business handling food for example.
You wouldn't need to use your email as account id. The account id could even be completely random, as long as you manage to link back from that account to your key (in case of twitter, a tweet with the key fingerprint), anything works! Just add a link to that account to your key.
With regards to decentralization: keyoxide doesn't hold the proofs. Your key does. You can take your key to any verification system, whether it is keyoxide website or some CLI tool or an app, and have that verify the proofs. Yes, you do need to trust the service. But that's where the open source and hopefully one day, network effect comes into play. If enough knowledgeable people trust it and talk about it, then less-techy people might one day too.
In the end, what is important to note is this: keyoxide is just an implementation detail. If soon a different service becomes much more popular and used, the "decentralized identity proofs" ecosystem still wins! I would love to see apps get developed where anyone can at the press of a button verify online identities. That will be the next big milestone.
TLDs do still matter. Part of the indieweb movement is focused around not relying on search engines. The TLD is half of your domain so some consideration is needed.
Personally, I could have gotten yarmo.nl, given that I'm Dutch. I chose yarmo.eu because I'm fairly certain my future is not in the Netherlands, but elsewhere in the EU.
I also wouldn't want a TLD that support Britain's continuing colonial rule and defense of acts against human rights.
I'm not saying all should boycott .io, just the (open source) developers who wish their products (and domains) to reflect their core principles.
I'm sorry to hear about that experience, that's not IMHO the way it should be. That leaves you the opportunity to take your knowledge and opinions elsewhere. This would not be possible if you got banned from Twitter.
It saddens me that every time I see a fediverse-related post on HN, it gets inundated by people who don't "get it" and that is to be expected: fediverse is not Twitter and everybody gets Twitter. That change in mentality is not easy.
Fun story: massive influx of users from India recently and the timelines got flooded by posts indirectly asking: "what is the way to fame here? How do I get followers?". Fediverse doesn't work like that. You just… talk with others. There's no "you and your followers". There's "us".
Analogy: you are not in a metropole. You are in a village that is extremely well connected to all other villages. You do not need to shout to be heard.
I'm on a FOSS-focused instance. We talk all kinds of stuff and FOSS is one of them. I have my Home timeline where I follow all the people I want to hear from (both my instance and all others). I have my Instance timeline where I'm basically guaranteed to read interesting stuff I can reply to and meet new people who also considered this instance to be their haven. And the Known Fediverse timeline… Well, it's fun to browse but come on, imagine a timeline of all tweets on Twitter: mostly useless.
Choosing the right instance also involves choosing the right moderators for you. Mods can block other instances. If you don't like what the mods do, change instance or start your own community. After all, it's not Twitter, the people decide how content is moderated, not a for-profit company.
That's the fediverse for ya. Hope to see you there!
> Mods can block other instances. If you don't like what the mods do, change instance or start your own community.
Doing so costs you all of your followers. This is one of the main issues with the culture of heavyhanded instance operator censorship: you can’t simply switch like you would an email host with your own domain, because few/no AP implementations support bring-your-own-domain virtual hosting.
This is like saying “well, if you don’t like that the mail admin simply doesn’t let you email certain domains, just change your email address!”
This is sadly not quite correct. You can send out a 'Move' activity from your old account, notifying other servers that you have moved. There's no guarantee that they understand that activity, or, if they understand it, that they actually follow the new account automatically.
In practice, nearly all your followers will be using fediverse software that understands and supports Move{Actor} in a similar way to Mastodon. There's not a massive amount of fediverse software - it's not like IndieWeb where everyone does their own thing - and the microblogging-focused software largely implements the same feature set.
That depends on that software being deployed in a timely manner. There's plenty of instances out there still on Mastodon 1.6 and 2.0 because the admin installed it 2 years ago and hasn't updated since.
I probably need to look into supporting this in my federated social network thing. It does work with Mastodon and Pleroma right now, but it certainly could do better.
Even if the move notification worked perfectly, the people on instances your local admin has defederated with will never receive it as a result of the defederation. I don’t think this is a solution.
I would love if social media platforms could stop letting people know who followed who, even to the followers themselves... I think it would make places less vain and toxic
I can't see how it would make it less toxic - a lot of the toxicity I see comes from accounts where it just wouldn't be possible for them to know who followed them because they're well into the 100ks, if not millions.
Going back to the original quote: "The fediverse is like interconnected villages instead of a large metropole. There's no need to shout." and I think it's quite apt.
The fediverse is far closer to early online fora, bulletin boards then it is to e-mail. Maybe you were deeply entrenched in a particular online community, establishing an online identity, a reputation, visibility,... connected to your name. But outside of that domain? Well, you have little social credit on other discussion boards.
This approach models closely to how societies work in reality. And how individuals prioritize their own social connections. First family, then extended family, friends, co-workers, and society at large - an online audience - way down the road. Each of us will subconsciously look at people starting from the implicit question "Who is part of my tribe, who's an outsider?"
Now, the important part here is that you may feel compelled or forced to leave a group, family, tribe,... So, this implies giving up your locally established social credit and hope you can rebuild that elsewhere. For most people, that's an extremely expensive and risky proposition.
So, what do Reddit and Facebook do different, then?
Reddit is hugely successful because it provides a platform that can sustain thousands of small communities. Much like how online fora - but also e-mail based newsgroups or BBS'es - used to work in earlier days. Facebook's killer app is not the wall or your profile - contrary to what you may think - but... facebook groups. The same is true for Telegram or WhatsApp. These are tools that allow you to establish small communities.
And then you have the entire "followers/following" thing.
What Facebook and Reddit did was successfully merge the idea of a portable, persistent identity - a profile - between local communities by building a platform that also made migration and establishing new communities really easy and cheap (just a few clicks: bam! new group or subreddit!)
Now, followers / following: that's NOT a social network. That's an audience. And there's a distinct difference between those two. (even though there's an overlap too)
For all the talk over "engagement", communicating towards an audience is mostly a one-to-many one-way street. You may reach hundreds of thousands on Twitter, but you may only directly engage - and establish a meaningful relationship - with a handful of people.
If you want to directly and presently reach a large audience, then either e-mail newsgroups, the fediverse or online fora are the wrong venues. Arguably, even Reddit is the wrong platform if you directly tap into millions from a single or a few publishing points (accounts).
If you're looking for small communities in which you want to get entrenched, then the fediverse is the right place to be. Even though that comes with the perpetual yet very real trade off of establishing social credit locally which you can never carry with you if you migrate away.
I like to run mastodon as a single-user, and actively connect to other instances by following certain people. What I find lacking (but that might be a configuration issue): I cannot seem to get the replies to other people statuses, which are not from my server (so, basically, all). That'd be a bummer if that doesn't work.
Pleroma v2.0.0[1] lets you hover over the "Reply to" text to get the replied to status in a little popup (which might be new in v2.) But also a little "popout" icon that will open the entire thread in another window (which previously existed pre-v2.)
[1] running as essentially a single-user instance.
Sadly, this is a bit spammy method, but I had only a dozen or so complaints so far and my "Whole known network" is now seeded pretty well : https://s.pnn.sh/ (this is a small single user home instance on ARM, so it's slow)
And TBH I find the Pleroma UI better than Mastodon for the single user instance - plus clicking on the date to get replies in the Mastodon frontend always feels weird (but it's personal taste !)
Back in the day when ICQ and the first instant messengers showed up, there used to be a "find a friend" feature. You just specified what you were interested in chatting about and it would return a list of people who had said the same thing. That was all it took to meet interesting folk and make meaningful connections.
Needs to be simple for civilians I guess is what am saying.
Careful with this. A lot of communities don't like scraping of their public content. There was a guy who got booted from archive.org I think for trying to archive an instance that had a lot of under-18 folks' content.
I'd encourage you to build a federated app instead. :)
I think you are making the assumption that I am scraping content based on the fact that I am developing a free software content scraper that anyone is invited to use.
Yep, just like I assume countries that enrich plutonium to weapons grade levels and stick it on the pointy end of an ICBM are threatening others with nuclear weapons, even if they're never launched.
If you think developing web spider software is akin to developing nuclear weapons, I think you might want to go have a talk with some larger, well-known companies who have not only half-developed not-yet-working software (like my activitypub spider, which doesn't even have a storage backend at the moment), but who have fully developed advanced web spiders that have actually downloaded and archived exabytes of data from the web, to be saved privately for all time. Frequently they even let anyone who wants search the full text of it, usually without authentication!
If you don't want second parties to have copies of your data, configure your webserver not to send it to them when they request it. You can't force someone to do something with an HTTP request.
Your first statement looks like it should be logical, but when read for soundness, the consequent ("[then] I think you might...") makes absolutely no sense following the antecedent ("if you think..."). I only mentioned nuclear weapons to try to really emphasize to you that a technology's existence is enough to cause fear in people and communities, which does have real world consequences. But I don't think you care about that.
Anyway, I work at one of those companies. You know what they have? Ways to let users opt out (ex: ROBOTS.txt), ways to ensure they're not DOSing people when scraping (which uses material resources: compute time, spindles, electricity, etc), ways to track the copyright of the source material (which belongs to the author, usually), and ways to respond to second-party requests (legal and non-legal notices) who want to know how much of their data has been scraped or exercise their rights over their material. These technological features are because this is what human societies have found to be a decent balance between scrapers' rights and internet users' rights. Your solution lacks this due consideration and gives internet users a giant middle finger.
In your last paragraph it is pretty clear you are doing this because of some ill-conceived "ethical" notion that "because HTTP responded with this payload, it is now mine with an 'ethical license' to do anything". There are other ways to point out security flaws in ActivityPub that are way more constructive and less asshole-ish, but it seems you're pretty keen to erase a lot of moral and legal nuance to prove "because I have a technological capability means I have the moral ought and the legal right". Sorry, but no: the world is a lot more complex than this.
Just because I have the technological capability to transmit the message "you're being a dick" from the comfort of my home doesn't automatically mean it would be ethical for me to, so of course I am not going to tell you "you're being a dick", and normally I wouldn't type this sentence at all but in this special case I am because it shouldn't be a problem with your ethical system since I'm not actually saying it despite having the technological capability, so it should have no impact on you (and if it did, it should give you pause to reconsider that maybe you need to do more self-reflection on discovering your actual reasons for doing this ill-advised project).
Because you have not cared to clarify your ethical view in the last 3 responses to me, nor in your ethics statement of your project.
Your system is designed to download and save information in an unaccountable manner on behalf of anyone, "unaccountable" literally is a doorway to "for any further purposes", so it's a very safe assumption.
The lack of clarity also comes from ignoring the bulk of my previous message. Ball is still in your court. I am inviting you to make this exact clarification (plus far more), when all you seem interested in doing is dodging, delaying. The worst action you could possibly take is accusing me for assuming in order to fill in the very deliberate blanks you are leaving behind.
> Your system is designed to download and save information in an unaccountable manner on behalf of anyone
I think perhaps you have confused some source code that I have released with a service that performs a function on behalf of a user. I operate no such service.
All I have done is produced a tool that allows a user who downloads and builds and runs that tool to download data from a website, much like a browser or any other HTTP client. There is no "on behalf of"—it's just a tool for a first party to use.
I am happy to let you keep showing off your circular reasoning to the world, and will happily repeat myself pointing out all my counterpoints you did not engage with and ignored.
For example:
- I claimed a technology's existence is enough to cause real world consequences. You ignored this point.
- I mentioned you are not including safeties to building a tool to protect its user[0] (the "first party" user of your tool) and its targets ("second party" people the tool-users are subjecting to your tool). That makes it legally/morally unappealing to use as a tool(puts self in danger), and morally unappealing to be subjected to. Why build a tool this way to be completely legally/morally unappealing, unless you want to cater to users specifically that do not have such legal/ethical concerns? You ignored this point.
- I have invited you to clarify your ethical view. You are circling back to a previous non-argument.
- You simply refuse to verbalize your implicit moral stance -- that your role as a "toolmaker" absolves you of all the moral consequences of its use[1]. If this is incorrect, I welcome clarification from you.
[1] This moral position has long been well-criticized and is not a sufficiently nuanced moral stance in this day and age. For an old example, consider Tom Lehrer's criticism of von Braun: "'Once the rockets are up, who cares where they come down? That's not my department', says Wernher von Braun." [2].
I'm going to be blunt: your ethics statement sucks. It reeks of "I don't care what you intended, I'm going to use your data in ways you didn't want because nothing is physically stopping me". At the very least, that's a terrible attitude to describe as an "ethics statement". If you were to call it "justification" instead, at least it would be internally consistent.
I see that your code makes no mention of robots.txt, so you've designed it in such a way that explicitly ignores each instances' published intention. You can't reasonably make any claims about "consent" while pretending that "User-agent: *; Disallow: /" isn't there.
From a first glance it does not scrap the web UI, and uses public APIs only. So mentioning that it ignores robots.txt is not a solid argument. These APIs are there specifically for automated use.
I agree that this "ethics statement" is of no use, though. The author should have ignored these people who get upset because of their posts being copied.
Every time people get upset because of reasonable behavior of others and unreasonably attempt to control that behavior, it is an opportunity for teaching.
According to whom? Every dictator thinks it's reasonable behaviour for them to crush the opposition, while those who look on, or those who suffer, will usually believe that to be unreasonable behaviour.
Someone I learned from a colleague once is this:
"No one ever thinks they are the bad guy."
So your concept or reasonable behaviour may not match mine, and you may exhibit behaviour that will upset me. That's not an opportunity for me to learn, that's an opportunity for me to seek some sort of recourse against you.
Publishing software is protected expression in the place I am writing it, so I will absolutely be surprised if others attempt that: it would be illegal under the laws in this place.
I think perhaps you are confusing morals with ethics. Morals are a subjective matter, unique to each person, and are derived from their own individual values.
Ethics were designed as a more objective framework that can be consistently applied in a society so that groups may be able to reach consensus about decisions that affect others. I have yet to see any argument that developing and publishing software that allows people to download public information from the web is unethical, especially considering the fact that you cannot download any information from a webserver that that server does not willingly provide to you. You send a request, and perhaps you receive a response—or not. It is wholly within the determination of the server what, if anything, it sends to you. My software speaks plain ol HTTP, no hax or subterfuge or fuckery of any kind.
Indeed, such HTTP client software development and distribution is widespread in our society: you're probably using some software like it right now to read these words. Other tools that perform this function are shipped with every single install of most OSes. It's some of the most common software on the planet. When you browse Mastodon or Pleroma instances, software on your computer is doing the same thing that my software would do, if you ran it.
Despite the fact that some people are irrationally upset over people's choice of HTTP clients with no justification offered, the burden of proof remains on you or anyone else who has a problem with my software to explain why, from an ethical perspective, I shouldn't be writing it or publishing it. No one has offered such an explanation to me, nor can I, in what I think to be a thorough consideration of all the possible consequences or systems of ethics which might apply, discover one myself. I do not believe that such exists, considering the circumstances of how common even advanced HTTP client software is. If you have one, please speak up.
Remember: whether something is moral or not is a personal opinion; it cannot be right or wrong. Whether or something is ethical or not, however, is more or less an objective analysis within a given ethical framework. It is not an opinion.
I mean, it is legal. Stopping him wouldn't work well.
Sleazy? Arguably. Allowed? I mean, it's not like it's pulling any magic tricks. It's operating within what the protocol (and the law) permits. People could use a better protocol that doesn't have these problems, but hey, who cares, right?
Actually, the behaviour of the Mastodon author promising a "safe space" in his paid, targeted advertising campaigns without any real plan for data security is the unethical behaviour. If you don't like that people can scrape the fediverse, fix the damn security.
What behavior is that? Writing a tool that people can use to download information published on websites? Does the creator of `wget` or `curl` put people's lives at risk too? Chrome?
I think perhaps you may have misattributed the responsibility for the side effects of publishing data globally.
I humbly suggest that you have just pointed out the major flaw for federated social networks and decentralised platforms in general: they do not serve the same purpose of Twitter, Facebook and the like.
Users come to these popular platforms not worried about what it will take from them, but what they can take from the platforms. Notoriety, fame, a following.. validation or just a business model.
I don't think being different is a flaw, but people are drawn towards the familiar and what I'm pointing at is that this is the reason why gaining real traction beyond the dev community is so hard.
Mastodon is holding up just fine and growing rapidly, the atmosphere is much nicer and every few weeks, there's a massive influx of new users whenever Twitter is upsetting its user base.
