Christopher Allan Webber email@example.com
Madison, United States
GNU MediaGoblin founder, former Creative Commons software engineer, python hacker, free software enthusiast, maker of weird drawings See: http://dustycloud.org/ (Any pronouns are okay.)
Mozilla to Boot2Gecko: You'll have to fork Gecko
Today we are announcing the next phase in that evolution. While work at Mozilla on Firefox OS has ceased, we very much need to continue to evolve the underlying code that comprises Gecko, our web platform engine, as part of the ongoing development of Firefox. In order to evolve quickly and enable substantial new architectural changes in Gecko, Mozilla’s Platform Engineering organization needs to remove all B2G-related code from mozilla-central. This certainly has consequences for B2G OS. For the community to continue working on B2G OS they will have to maintain a code base that includes a full version of Gecko, so will need to fork Gecko and proceed with development on their own, separate branch.
Sudden insight this morning that while the GPL is activated upon distribution, the AGPL is activated upon execution (with any networked interaction involved in that execution).
While I don't think this is an impossible thing to manage, I do think it means that compliance is more difficult with the AGPL... if you are already distributing software, it's not generally hard to distribute source along those same channels. If you're just executing software and having an interaction with another network participant, you might not necessarily have a similar arrangement to do a distribution... you might not even really know what you're running. (That sounds like an odd statement, but "finding" the correct source to distribute in AGPL'ed applications is an unsolved problem.)
While I think this can be overcome with server->client interactions, with some difficulty, I'm still not sure that most client->server interactions, where the client is running AGPL'ed code, can be easily handled. For this reason, I've been avoiding using the AGPL for software which might be incorporated with client code. I find it worrying when compliance may become overly difficult.
I'd like to be wrong about these things!
Claes Wallin (韋嘉誠) likes this.
Claes Wallin (韋嘉誠) shared this.Show all 7 replies
My most recent project, keysafe, is AGPLed, and the client and server are part of the same program, and a large amount of code is reused between them including http request generation/parsing, object queuing/storage, proof of work generation/checking, data types, and serialization.
So, I hope that there's not really a good reason to avoid using AGPLed code if it could end up running on the client. That would make development significantly less efficient when there's so much opportunity for server and client to share code.
Or it would limit the AGPLed parts to such a thin shell around the shared code that it might not be much of a barrier to creating a non-AGPLed server implementation. If keysafe's shared code was GPLed and only the server-specific code were AGPLed, a simple non-AGPLed server using the GPLed code be implemented by writing only 2 trivial functions; around 10 lines of code.
Christopher Allan Webber likes this.
@joeyh @Charles ☕ Stanhope Note that you could call my post "spreading FUD": I don't have a real tested case of these things. But in moving towards implementing the systems I'd like (which move closer to peer to peer + actor model over time) I've thought about these concerns a lot.
I like the AGPL a lot, and so I debated quietly and cautiously not using it for the project I wanted to, or to discuss it publicly, or just discuss it privately. But I feel like private conversation hasn't gotten me far enough over time, so here's me kicking the shins or tires or something. Hopefully better than kicking the can down the road...
Of course, other projects will vary. My use of AGPL In git-annex is confined to its webapp, and there's still a significant amount of code there, that would take lots of effort to reimplement. There's very little chance any of the AGPLed code there would ever end up in a client either, and if
some part of it did, I'd relicense it GPL in any case.
Still, it seems a shame if AGPL could only usefully be applied to that style of client-server app, and not to ones that have a more svelte design, like keysafe, or presumably what @Christopher Allan Webber is doing with actors.
Hello everyone! Morgan and I are in London, and it's also my birthday. I'm 32!Show all 10 replies
Good morning, pumpiverse
I'm sitting at TPAC in the room at which ActivityPub's fate will be decided!
Well okay, it's not quite that dramatic. Actually, the dramatic parts happen in two weeks. It looks like our transition to Candidate Recommendation will happen then. We're going to need "wide review" soon though... that means I'm going to call on you, dear readers, to help review the standards work we're working on!
Onwards and upwards! Here's hoping our last day at TPAC goes well... I'm optimistic :)
Just did a live demo of ActivityPub client to server stuff and server to server federation in front of a well populated room at TPAC and it WORKED THANK GOODNESS
"I need more hours," sighed @rhiaro. "I would use some of them for sleeping."
Claes Wallin (韋嘉誠) likes this.
Hanging out with friends csarven and @rhiaro doing some hacking in a hidden corner at TPAC.
Man, Lisbon is just broiling hot.
But I'm here for TPAC!
Hacking Pubstrate from my lodgings RN.
Cords, cords everywhere
And none of them connect to this port
seriously where did I put it
Got my ThinkPenguin mini computer, which I'm going to be using as my local network server/backup machine. It's pretty cute!
@EricxDu It's a bit expensive, close to $500. Which isn't so bad for a computer, but seems expensive for a mini-computer maybe. I had a hard time figuring out whatever else might be reasonably free software compatible and decided, "you know what? the thinkpenguin people do a good job, and this looks better than fretting over trying to figure out how to reduce the price and never setting up my backup machine again."
On "Someone is Learning to Take Down the Internet"
"Someone is Learning to Take Down the Internet" is an article by Bruce Schneier. And it sounds serious.
It sounds like it's the really big pieces of infrastructure being probed for vulnerabilities: the DNS system, ISPs, and SSL CA's.
Remember that most encrypted communication uses DNS and SSL CA's, which are both highly centralized systems. You only need to really compromise one "trusted" CA and MITM DNS, and you can do anything on almost all systems these days.
It would be different if we were using something "web of trust" like, but even the most popular ~decentralized systems in public use rely on what's in reality a lot of centralization.
So yeah, I think we're very vulnerable.I was thinking it was either for warfare or to disrupt civil unrest.
There's http://named-data.net/ which provides a new content centric set of network protocols that might be more robust to DDoS style attacks. (Since it replicates heavily accessed resources.)
Or at least self hosting video files should be safer with named data.
If the general message is "the Internet can be disrupted, especially by state actors, so just be aware of that", then OK, great, we all know that. But citing anonymous sources? That's just FUD.
Maybe the problem is real, but if companies won't talk about it, I really don't care if they get burned later. (Although it could suck if when they get burned the rest of us are burdened, too, and then I would care, but only about the damage to the rest of us, not the damage to them.)
Some Pubstrate and soci-el screenshots
Here's a Pubstrate screenshot, showing items in a feed. (It includes a little bit of a sappy micro-love-note. I was demo'ing to Morgan, sorry!) But the cool part is...
Here's a screenshot of soci-el, the emacs ActivityPub client I've been writing. The neat thing is that you see that on the right side, the
*soci-compose*buffers I composed the messages from (yes, it's using org-mode, yes I'm using comments to hackily handle the "headers" section). These were then sent across the wire using the ActivityPub protocol. On the left side you can see my outbox rendered, also pulled down through the ActivityPub API.
Alex Jordan shared this.Show all 6 replies
@Sean Tilley It could be, if you are brave, you can try it now. However, I recommend you wait a few weeks until I make a public release... there are huge gaps missing in the application, and there is no documentation. For example, there is no "registration" page; I load users into the database via the scheme REPL. That's not good external UX. ;) It's also probably harder to install, currently, if you're not using Guix, because of an obscure library (irregex) which isn't really needed, so I'll be removing soon.
It's close to a "download and try it" alpha, but not there quite yet. But the foundations are good. After my demonstrations at TPAC I'll work on making it into a package that others can try out.
I'm glad others are excited! :)
Finally cut el-get out of my .emacs'ing, and down to only 3 packages using emacs' package interface... everything else I'm pulling out of Guix. Great!
Claes Wallin (韋嘉誠) shared this.Show all 6 replies
@Christopher Allan Webber ah, okay. That makes a lot of sense.
WRT security, that's a very good point. I use different computers often enough that not having my package list under version control is something that's unsustainable, but you're totally right. (MELPA in particular didn't even do TLS for a long time, although that's thankfully not the case these days.) *sigh* I guess I should add "make ELPA have better security" to my endless TODO list :)
I've also never really regretted upgrading a package, even though I'm not even on MELPA Stable. How many packages do you use? (I'm sure it's more than me!) Or perhaps that's the wrong question - a better one might be, how many SLOC do you have in your .emacs that customize packages, and how complex are the customizations (e.g. just
setqor something more complicated)?
Less than 9 ActivityPub issues left as of this morning. Hope to get as close to 0 as I can today.
Rebalancing how the web is built
Great article by Manu Sporny, about how the W3C's current structure makes developing important new standards difficult and prioritizes large organizations among all else. It includes suggestions on how to move in a healthier direction.
Charles ☕ Stanhope likes this.
Pubstrate + soci-el + ActivityPub update for 2016-09-10
Following up from last week's update (well, plus a few days)... a lot has happened.
- Session stuff was put to use. Logins/logout now work.
- I wrote a configuration subsystem. You can now configure the application, and have the configuration validate against a spec. The configuration files are written in scheme, but pleasantly, there's a command line script which will generate a default config for you, with some infrastructure so that it will be a nice little wizard asking you questions later.
- Backported some stuff from Guile 2.1/2.2 so that if you're still using Guile 2.0, you can still redirect from relative links. (This was originally against the HTTP 1.1 spec, but in a revised version, it was relaxed.)
- Command line interface now supports multiple subcommands, used for config bootstrapping stuff mentioned above.
- Much, much refactoring.
- Wrote a full widget/form rendering library, a-la Python's WTForms, but without all the mutation.
- Added page to authorize clients.
- User outbox now renders as AS2 on a GET.
- Various improvements and bugfixes.
So 5 days ago, I hit the point where I needed to have a decent client to be testing things with. Prior to this I had just been using the guile REPL to do some crappy posting. I realized I wasn't capturing the experience of any kind of real use though, and I needed to demo a real client, so I started building one.
I really fought with myself over what I should build it in. Weighing the options, I initially decided a Pumpa-like interface in GTK2 would be the most generally demonstratable, and would allow me to leverage the Guile bindings I had already written. So I started writing that, but soon ran into problems... I spent about 4 hours trying to get GTK box packing to cooperate on the most trivial things and realized I wasn't having any fun. I was feeling depressed and full of doubt.
I kind of felt like, maybe an emacs client would be most fun for me. But that would mean reimplementing nearly all of the activitystreams handling code from Guile into Emacs Lisp. So I decided to take an evening to see if I could do it. Well, within a few hours I had nearly everything ported, and by the next day I had a generic methods written! I also made a mockup that felt compelling for an emacs interface, and was able to make use of that look... within a short period I had a working experimental rendering function, and shortly after that I managed to render another entry, this one borrowed from @rhiaro's blog (which exposes an AS2 version).
So, emacs client it is! I've been forging forward, and as of right now I can connect emacs to my localhost instance of Pubstrate and pull down and render my outbox. Horray!
I still need to be able to post things though. For the moment, I am thinking of taking the (hilarious?) route of being able to author content in org-mode (which will be rendered to HTML before being posted to the server).
In the meanwhile, I am also trying to wrap up all the ActivityPub issues I can, though I've been more focused on the software.
I feel like things are coming together, but I'm very afraid that even if I put in all my energy, I won't get things far along fast enough. I'm very stressed out because of this. I know some of you have said "it isn't worth your mental health", but maybe some deadlines, if they are important enough, are. Nonetheless my mental health is admittedly very poor right now... and my physical health isn't doing so great being in crunchtime either. If I step back and look at my productivity, it seems very good on its own. In put in context of a ticking clock, it feels like not enough.
Not long left till TPAC. Wish me luck.Show all 7 replies@firstname.lastname@example.org Is this the kind of TPAC you are talking about?