I received a request from @ghost@threads.net today to add #LDSignatures to @fedify for compatibility with #Mastodon, as Mastodon does not plan to implement Object Integrity Proofs (FEP-8b32) for the near future.
However, Mastodon's implementation of LD Signatures does not even use valid JSON-LD properties (despite the name), so I'm not sure how to make it compatible with Mastodon since #Fedify does JSON-LD processing.
As the creator of Fedify, I'd like to see either ActivityPub implementations all deal with JSON-LD properly, or the ActivityPub spec gives up on JSON-LD.
@hongminhee hey @thisismissem, @andypiper what do yall think of this situation? where are we going here? I keep seeing dev after dev complain about the JSON-LD issue with Mastodon and I personally dont even know where to stand on it but it seems its a major hurdle.
@liaizon @hongminhee @thisismissem I think it may be something long-standing here, is there an existing GitHub issue where I can get more background? I know it’s pretty complicated at this point though.
@liaizon @hongminhee @thisismissem (also asking as I’m on my phone walking right now and can’t search so easily!)
@liaizon @hongminhee @thisismissem no promises on how quickly this can be resolved, but it is in progress. It needs more work and probably backporting etc. https://github.com/mastodon/mastodon/pull/31871
@andypiper @liaizon @hongminhee the version of JSON-LD Signatures that mastodon supports is old, basically they implemented it, then the spec completely changed.
That's why stuff doesn't look right.
The question is then: how do you migrate forwards without breaking compatibility with existing deployments. That's gonna need time & money thrown at the problem to solve.
@thisismissem @liaizon @hongminhee agreed that it will take a while to resolve things due to the scale of the deployments.
@thisismissem @liaizon @andypiper @hongminhee
FEP-8b32 is designed to be compatible with existing implementations. The upgrade path for Mastodon may look like this:
1. Support multiple public keys per actor
2. Start publishing second Ed25519 key as described in FEP-521a
3. Start adding FEP-8b32 integrity proofs in addition to LD signatures (as specified in "Backward compatibility" section of FEP-8b32)
4. Stop adding LD signatures
@hongminhee will @Mastodon lack of support for the AP standards slow the adoption of the fediverse? TrueFans are new to developing with AP. We use @fedify who have made it super easy but we wanted to use the "Listen" verb from the AP vocabulary but no AP client supports it. Mastodon doesn't for certain which is probably why other AP clients don't.
We also wanted to use the 'Summary' verb but Mastodon kept marking our notes as sensitive another bug not fixed.
@jenniferplusplus @hongminhee @Mastodon @fedify what Mastodon supports Listen? Not so far in our testing. Also using summary marked everything as sensitive. That is still the case?
@samsethi @hongminhee @Mastodon @fedify sorry, I wasn't clear. I meant to answer your initial question. Will it hold back fediverse development if mastodon doesn't implement the specs properly? Yes, it already does.
@jenniferplusplus @hongminhee @Mastodon @fedify exactly. We face the same issues in podcasting. Podcasting 2.0 has 30 new metatags in a new namespace that Apple, Spotify etc don't support. So 80% of users are on Apple/Spotify and thus don't see the new tags if a creator adds them to their RSS feed. Only new podcasting apps support the new tags. Chicken and Egg. Mastodon is the biggest AP client and their lack of support will slow the AP adoption.
@hongminhee The first. The latter would imply giving up on the web and global federation.
@hongminhee @ghost @fedify these properties should be part of the https://w3id.org/security/v1
context, but it looks like we are omitting this context in some activities
@hongminhee @ghost @fedify will have a deeper look and write tests when i have time, but this should be addressed by https://github.com/mastodon/mastodon/pull/31871
@Claire Wow, that's really quick! Thank you!
Smithereen (I'm writing this from it) also does JSON-LD processing but also supports LD signatures. I don't understand what's the problem here — imo you aren't supposed to LD-process the signature itself. I remove it before any LD processing and treat it as a separate object passed alongside the main one.
@hongminhee Do they want LD signatures in Fedify in order to process forwarded Create activities? I simply fetch object
by its id
when signer and actor do not match.
@silverpill Oh, that's great idea! It really helps, thanks!!
@hongminhee Here is some code for verifying and creating LD Signatures https://codeberg.org/rimu/pyfedi/src/commit/1a658d007fa6259ea736005b818ae516a954bb16/app/activitypub/signature.py#L429
I tested it out last week but haven't used it in production - this was originally copied from Takahe so I assume it works well with Mastodon.
@rimu Thank you! I think this will help.