@kaniini There are a couple of good points in here, but this is a really cynical take on AP.

I'd agree it has some blindspots that need to be addressed, but lines such as "In an ideal world, the number of ActivityPub implementations would be zero." is pure hyperbole.

Further I would give it more deference if it presented a viable option as opposed to "this is bad, but I don't know how to do it better"

We gotta do better than this if we are to push forward.

@Are0h That's part of the upcoming series. And it's kinda been hinted at on their timelines (leveraging facets of Zot's apporach, using capability URIs vs implied actions, etc) @kaniini

@jalcine Aight, cool. Hopefully will get better because this isn't a great start.

There are some salient points about security that I absolutely agree with, but most of it just seems like editorializing.

I'd rather see problems identified and then explorations of possible ways to improve.

But I guess they're saving that for later. I hope.

@kaniini

@Are0h @kaniini @jalcine

well, this was meant to be kind of an explanatory post of what my present world view is on activitypub, having spent a year basically bringing up an AP implementation from scratch, and working in a codebase which built on AS2 with some elements of AP as a data model.

so it basically *is* editorializing on the topic.

the next blog post in that series that i'm working out in my head actually has to do with what a merged AP + Zot6 type protocol might look like, and what is good and bad about that. it will also attempt to explain in detail why tying personal identity and cryptographic tokens together is fundamentally unwise (although my post about Blind Key Rotation went into some explanation on why that is unwise too), and introduce a construction of capability URIs and proof responses as an alternative.

@kaniini @kaniini @jalcine

Yeah I know. I just think that's a poor way of going about it.

The proliferation of AP is providing a real opportunity for us to not only think about how we communicate but more effective ways to do it, a couple of which you name, which is cool.

I'm so down w/ the protocol being changed in a way that makes it better, but saying we shouldn't be using it at all is step backwards.

Cool. I'll wait for that. I really want to see viable options. Especially if they work

@Are0h @jalcine @kaniini I think one challenge we have to think about here is how we might be able to positively affect future versions of the protocol spec.

For better or for worse, this whole thing sits in the realm of WC3, and in some ways is the byproduct of attempting to please the multiple groups that populated the SocialWG. You've got Linked Data and IndieWeb people shoehorned into the same space as fedi developers, and many members of the group representing corporate entities that might be interested in a narrow application of it.

So far, the process for advancing the protocol to a new version that is, for example, aware of the notion of OCAP, is largely undefined beyond writing a whitepaper, putting out a CFP, and hoping other people in the space will adopt it.

@sean @kaniini @jalcine Yeah, I agree. And as there is so much attention on it right now, this is a great time to do so.

That part of it is always going to be what it is, but the power of the idea is self evident based on how many good people are adopting. That's a huge plus. We can work with that. There is so much space to make AP better without kicking it in the face.

Which is why I think we'd better served to improve the spec rather than demean it.

Is it perfect? Hell no. But it's a start.

@Are0h @jalcine @sean

It's not my intention to demean it. UNIX (Linux) is a classical example of the "worse is better" philosophy. UNIX won.

ActivityPub will win too. My point ultimately is this: ActivityPub is going to win, but how do we coordinate standardizing security fixes across all of these projects popping up?

Completely redesigning entire parts of the AP protocol is out of the scope of Litepub, we must either try to push forward in SocialCG or create a new standards body.

So, I think we will eventually see a split between those projects which do want to move forward with security and those which don't understand why the emphasis on security is important.

@kaniini @jalcine @sean This is a much better expression of the ideas you put forth in the piece.

I think questions about security are worthwhile. And as the AP spec itself is not set in stone, there is room to make it better.

In light of this, I don't think jumping another protocol is the best way to move forward. There is plenty of room for improvement in AP.

I don't think we need to create a schism around AP just yet. There is space for collaboration and improvement.

@Are0h @sean @jalcine

That's why I said doing radical rework of AP is outside the scope of Litepub, but that we need to decide as a community whether we want to stay with W3C or go our own way.

I am very afraid that W3C revision cycles on things like introducing OCAP will introduce new security flaws, because of the philosophy at W3C. I mean, we can't really expect an organization that promotes the idea that all information should be freely searchable and accessible to understand why you want to put security protections on your private data.

Plus W3C is pushing SOLID now instead of ActivityPub because timbl started it.

So, I don't know. I really don't think Litepub is an appropriate place to just start doing major rework of AP, but it is a pre-existing working group that has the big projects participating, so it would be a start.

@kaniini @Are0h @jalcine @sean

Just noting this is a great thread to read for all actors out there. I hope this is going to show up at in the Decentralized Internet & Privacy Devroom that "we're smart people: we can walk and chew"

@kaniini @Are0h @jalcine @sean

Quoting from the blog: "But this will require coordination between all the vendors. And with 40+ projects out there, it's not going to be easy. And do we even care about those 40+ projects anyway?"

If we were able to coordinate that many developers, we would be able to implement all services as micro-services that complement each other. There's no reason why this would not be possible... Except ego wars.

@how @sean @jalcine @Are0h

microservices sound nice, and have been experimented with in both the diaspora and pleroma communities, but they aren't really a full solution.

what is needed is a rework of the security posture of AP (how painful this is *will* depend on ego to some extent), but integrating a capabilities model into AP has it's own share of challenges. and of course, it depends on the key players upgrading so that the new projects have motivation to upgrade as well.

but i do think we can get there -- it's just a matter of finding the path.
Follow

@kaniini @Are0h @jalcine @sean

I guess good coordination starts with shared understanding.

I really enjoyed reading Capabilities Myths Demolished (srl.cs.jhu.edu/pubs/SRL2003-02) but where to go from here?

@how

> good coordination starts with shared understanding.

Agree. I think part of the issue is that AP 'in-the-wild' is now moving a gazillion times faster than SocialCG is moving on it, and there is no proper (or very hard to get) overview of how it is evolving.

Yesterday I created "Should activitypub.rocks rock some more?" for that reason:

github.com/w3c/activitypub/iss

(guess I now found the source of who was talking about 40 AP projects :)

@kaniini @Are0h @jalcine @sean

Sign in to participate in the conversation
Une fois pour TOOT! A Mastodon in Brussels

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!