charlag_khan
charlag
  • Statuses
    150
  • Following
    5
  • Followers
    11
developer, vegan, FP monk, red-black leftist, working on Tusky & Kibou (this server software!) Trying to Libre, to be aware, be green and to be nice (but I'm still annoying). This is currently my test account as I try out new Kibou versions here. Feel free to follow but some funny stuff can federate from here. You can reach me at @charlag@birb.site (fedi) or at charlag@tuta.io (email).
Statuses
has shared req@monads.online

first video for the thread, I don't understand any of this but I'm sure the northern europeans in chat can enlighten my naive mediterranean brain on the matter

has shared charlag@birb.site

Redesigned Kibou's static frontend a bit.
Still a lot to do (that repost looks horrible) but at least it's a less of an eyesore.

Wanted to take it easy and just redesign some ugly things but now it's 2AM...

And now I can't even upload a pic because uh... cors?

Well all this effort did not help much. I still get 400 from some places for no reason but at least my redirects are maybe okay now?

Damn to get that sweet awc I had to manually resolve dependency mess and now I have to change how teamplates work.

And their Either doesn't even have map_left()/map_right()

aw shit here we go again

trait MapEither {
type LeftT;
type RightT;
..
}

also I cannot have two different actix-rt versions in parallel so I can't just have new awc.

And I can't have fullly new actix because actix-cors just won't compile.

And old actix client just plainly doesn't do redirects...

This sucks ass.

ah yes, leaking things all over the place, my worst nightmare.

Thanks to f0x I now know that redirects are a problem.
Actix-web has a parameter in client builder about redirects but it's never used 🤦

has shared dumpsterqueer@testingtesting123.xyz

I'm gay and so is the software I make

@dumpsterqueer @charlag in kibou no key ID is stored, only pem.
I wanted to cross-verify some things.

Same for icosahedron.website

I would love to know why rage.love thinks I'm wrong 🤔

So new HTTP signatures impl is up and running, hopefully not everything is broken now! (can't be worse than before amirite)

@dumpsterqueer @trwnh HTTP signatures *are* kinda meant for C2S interactions.
This is a different scenario tho where one server wants to prove that another server sent something.
If we want to sign things from the client, it should be something completely else.

Why are keys stored like they are uuuuuuuuuuuuuuuuuuuuuuuuh I can't cross-verify the ID now

The sole reason *all* of this is done is to make harvesting harder and to block some instances. How does it matter if it's individual key or not? Client wouldn't be able to fully sign S2S request anyway.

Maybe I'm missing something here but it seems pretty ridiculous to me. Maybe I should just start signing everything with my instance key and get rid of all the on_behalf_on shenanigans.

Okay, masto has a technical actor it seems when it needs to resolve keys etc?

https://github.com/tootsuite/mastodon/blob/c3aef491d66aec743a3a53e934a494f653745b61/app/models/concerns/account_finder_concern.rb#L15

Uh, why are we doing all this theater, could just use instance-wide key and sign all requests with it. It's not like users have any control over their keys anyway.

But I guess you can do the same with masto *shrugs*

Hm, it looks like you can DDoS someone pretty easily with a lot of things, even with HTTP signatures.
Can send requests pretending to be different servers.
Hmmm.

Well it's less ergonomic now but hey you can avoid copying stuff!

"hee, hee, can abstract whether thing is boxed or not"
*rust geeking sounds*

@dumpsterqueer you could also just use LRU I guess?

There was some caching here but I ripped it all out:
1. It wasn't actually working
2. Proper clients don't ask for the same things twice anyway (mostly)

I only cache accounts now and it's also questionable. I need either write-through layer or to listen to the db updates.

But you predictive thing is pretty cool imo!

> Algorithm Name: rsa-sha256
> Status: deprecated, specifying signature algorithm enables attack vector.

OH GREAT

"What if some values are in quotes and some are not"

Someone from Oracle writing HTTP signatures spec apparently

lewd code
Show more

@dumpsterqueer ah. I thought it means "oldest, newer than" and "newest, newer than"

lewd code
Show more

@dumpsterqueer isn't "take from behind" when min_id?

@dumpsterqueer uh this displays empty in Tusky 🤔

Oh asonix actually implemented http-signatures crate but now the repo is gone?
I'm almost done but anyway, weird

Like who just spreads docs for some many things like this?

https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html

I should be able to look at a *single* function and see *all* info about it, not scrolling up and down. Especially because in C you might need to check return or something.

And quality itself "1 for success and 0 for failure" and uuuh when can it fail exactly???

Also on unrelated note: I fucking hate OpenSSL docs. Every time I want to punch someone.

I wonder why are we all using RSA and not ECDSA or EdDSA or something for HTTP signatures 🤔

I need to get used to those long-ass posts again

Started rewriting HTTP signatures because they started to break down with another signed header 🤦
And designing the right interface for it is... tricky but I think I know the commmon denominator now.

Historical moment when Kibou and GoToSocial exchanged follows!

@dumpsterqueer
@dumpsterqueer

💚

I think I can post things?

Yaay it's workbkin!

>attributedTo: Identifies one or more entities to which this object is attributed. The attributed entities might not be Actors. For instance, an object might be attributed to the completion of another activity.

*deep moan*