fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

洪 民憙 (Hong Minhee)

I received a request from @ghost@threads.net today to add to @fedify for compatibility with , as Mastodon does not plan to implement Object Integrity Proofs (FEP-8b32) for the near future. 😩

However, Mastodon's implementation of LD Signatures does not even use valid JSON-LD properties (despite the name), so I'm not sure how to make it compatible with Mastodon since does JSON-LD processing. 🤔

As the creator of Fedify, I'd like to see either ActivityPub implementations all deal with JSON-LD properly, or the ActivityPub spec gives up on JSON-LD. 😩

@hongminhee hey @thisismissem, @andypiper what do yall think of this situation? where are we going here? I keep seeing dev after dev complain about the JSON-LD issue with Mastodon and I personally dont even know where to stand on it but it seems its a major hurdle.

@liaizon @hongminhee @thisismissem I think it may be something long-standing here, is there an existing GitHub issue where I can get more background? I know it’s pretty complicated at this point though.

@liaizon @hongminhee @thisismissem (also asking as I’m on my phone walking right now and can’t search so easily!)

@andypiper @liaizon @hongminhee the version of JSON-LD Signatures that mastodon supports is old, basically they implemented it, then the spec completely changed.

That's why stuff doesn't look right.

The question is then: how do you migrate forwards without breaking compatibility with existing deployments. That's gonna need time & money thrown at the problem to solve.

@thisismissem @liaizon @hongminhee agreed that it will take a while to resolve things due to the scale of the deployments.

@thisismissem @liaizon @andypiper @hongminhee

FEP-8b32 is designed to be compatible with existing implementations. The upgrade path for Mastodon may look like this:

1. Support multiple public keys per actor
2. Start publishing second Ed25519 key as described in FEP-521a
3. Start adding FEP-8b32 integrity proofs in addition to LD signatures (as specified in "Backward compatibility" section of FEP-8b32)
4. Stop adding LD signatures

Summary card of repository fediverse/fep
Codeberg.orgfep/fep/8b32/fep-8b32.md at mainfep - Fediverse Enhancement Proposals

@hongminhee will @Mastodon lack of support for the AP standards slow the adoption of the fediverse? TrueFans are new to developing with AP. We use @fedify who have made it super easy but we wanted to use the "Listen" verb from the AP vocabulary but no AP client supports it. Mastodon doesn't for certain which is probably why other AP clients don't.

We also wanted to use the 'Summary' verb but Mastodon kept marking our notes as sensitive another bug not fixed.

@jenniferplusplus @hongminhee @Mastodon @fedify what Mastodon supports Listen? Not so far in our testing. Also using summary marked everything as sensitive. That is still the case?

@samsethi @hongminhee @Mastodon @fedify sorry, I wasn't clear. I meant to answer your initial question. Will it hold back fediverse development if mastodon doesn't implement the specs properly? Yes, it already does.

@jenniferplusplus @hongminhee @Mastodon @fedify exactly. We face the same issues in podcasting. Podcasting 2.0 has 30 new metatags in a new namespace that Apple, Spotify etc don't support. So 80% of users are on Apple/Spotify and thus don't see the new tags if a creator adds them to their RSS feed. Only new podcasting apps support the new tags. Chicken and Egg. Mastodon is the biggest AP client and their lack of support will slow the AP adoption.

@hongminhee The first. The latter would imply giving up on the web and global federation.

@hongminhee @ghost @fedify these properties should be part of the https://w3id.org/security/v1 context, but it looks like we are omitting this context in some activities

Smithereen (I'm writing this from it) also does JSON-LD processing but also supports LD signatures. I don't understand what's the problem here — imo you aren't supposed to LD-process the signature itself. I remove it before any LD processing and treat it as a separate object passed alongside the main one.

@hongminhee Do they want LD signatures in Fedify in order to process forwarded Create activities? I simply fetch object by its id when signer and actor do not match.

@silverpill Oh, that's great idea! It really helps, thanks!!

Fetching 3rd party relayed activities with access control doesn't work with HTTP-signatures. Like private groups.

I won't go into the hundreds of reasons LD-signatures needs to die. Oh wait. It died years ago.

Use FEP-8b32.