josemanuel @josemanuel@qoto.org

@boyter That's why I said that you should open accounts on different instances using different implementations. Because, sadly, _no one implements the standard as is_, so what everybody does is support the Mastodon API and then add extensions of their own. These extensions are standard-compliant, but obviously not included in it. Maybe that's what confusing you?

@boyter There is a decent spec. There actually are several: ActivityPub (https://w3c.github.io/activitypub/), which is based on ActivityStreams, which in turn uses ActivityVocabulary. There's RFC 7033 for Webfinger, OAuth2 for authentication, etc.

And that's AP, but the Fediverse also uses OStatus and #Zot and WebTorrent among others. The most widely used is AP, but it's not the only one.

@boyter
> the follower only bit I am very interested in. Where in the Create event does it live? I am totally willing to ignore those posts.

Visit any post (or status) URL, GET it, but with a HTTP request header like this:

Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"

In the json-ld document that you'll receive there is a field called (unsurprisingly) "to". If a post is followers-only it will add a URL that ends in "/followers" (if I'm not mistaken, I'm just guessing). It is not Mastodon specific.

But, seriously, don't do that. Use some other method to test your implementation. The one I recommended in my first reply is best, even if some people don't like it. Don't insist on mastinator. There are much better ways.

@boyter
> I thought having people follow was the point of playing in a federated system...

Well, more like having people _to_ follow—but not anonymously.

> I am aware that there is some "follower" only thing that I would be happy to honor, if someone could point me at where its actually implemented.

Each activity has an array of recipients, which are basically URL pointing at people or general inboxes. When a post is follower-only, to a followers URL, which the server resolves into each particular account.

But that's not the point. The point was that you were following people, which means you were allowed to see those posts. There's nothing wrong about that. The problem was (allegedly, I haven't tried it) that you let everyone access all those posts (regardless of visibility) without any previous authentication.

@boyter
> Alas announcing is hard when you don't know where to announce it.

Apart from following other accounts and creating your own network of like-minded people, you could have asked your admin what they thought of your idea, and about its pros and cons. But I agree, it's definitely hard to communicate when you follow no one and no one follows you. (By the way, you're running your own instance?)

In general, just get to know people and build relationships with those you feel you can trust. It's not like you did something illegal, but you have to make sure that you know how what you do can affect others.

Also, surrounding yourself with knowledgeable people could give you some guidance and help you notice the differences between AP implementations. All of them have their quirks and probably none of them follow the standard precisely.

In the end, the tl; dr of this post is: talk to people first, act later, even if you decide not to follow their advice.

Write a post with your needs and I'll boost it. Maybe that way you will be able to find allies.

@hughster We're not here to blame anyone, man. Everything's behind us now and nobody got hurt. Just block the instance and move on.

Maybe he should have announced his instance and his project before and asked for volunteers to be followed? Sure, he could have done that. Or he could have created test accounts in different servers? Of course. But what's done is done. He explained everything, he owned up to it, and that's what matters.

@boyter

@pyutaros Remember when Oprah decided to give free cars to her live audience? Well, your server works pretty much like that.

@boyter I didn't opt-in. I just have my follows open, because I wasn't expecting something like this to happen, which is also why I never felt like reviewing requests.

If you need to test some AP-based application, my advice is that you create an account on each platform (Mastodon, Pleroma, Misskey, etc.) and use those and advertise them as what they are.

Ask developers and admins for advice and permission. Most would have helped you with whatever needs you had, and this whole shitshow would have been avoided. (I call it shitshow, but I only noticed it by pure chance. Maybe it wasn't that big of a thing.)

My impression is that you went a little too _gung-ho_ on this, and that's why some people got mad. As you noticed, a lot of them are sensitive about their privacy and trigger-happy when they feel threatened, which is almost always.

Anyway, I'd like you to stay around, but please take into account that this is a communication platform, so try communicating before pulling something that affects other people like this. I hope you manage to finish whatever you wanted to do and help us secure the Fediverse.

@pyutaros It's not that complicated, but it's easier to understand it by experiencing it than by being shown or told about it.

@pyutaros That's the cool thing, you don't need to know. And, most of the time, you won't even realise it.

Wow. That blog post turned dark really quickly: “You're lucky I'm not evil, for if I was, you'd be royally fucked, BITCHES!”

(Ok, I exaggerated for comedic purposes, but _not by that much_.)

I'm still sympathetic with the auhor, though, and agree with most of what he says there.

I found this. Hope it helps everyone avoid the FUD:

https://boyter.org/posts/mastinator-activitypub-breaking-assumptions/

I must admit that I'm sympathetic to the author (@boyter, I think): it's true that it's difficult to test an AP implementation without some kind of infrastructure in place.

But I'm also with @aral: this should be opt-in.

@obi Yeah. I only know one person here IRL and I haven't seen him in ages.

@obi Not the same. Followers-only posts don't go into the RSS feed. Neither do DMs, of course.

I'm still reading on it and it doesn't seem malicious, but we'll see. What I don't like is the anonymous side of it. I'd rather err on the side of caution with these things.

I was just followed by an account(?) on mastinator.com. After careful consideration I decided to block the entire domain. Anyone (well, almost anyone) who wants to follow me is welcome, of course, but not anonymously. That's not cool.

I may reverse this decision in the future if I get more information, but, for now, this is it.

@MischievousTomato Y dejo, pero me fastidia que saquen tanto el tema, como si publicitándolo lo fueran a solucionar, o como si los demás pudiéramos hacer algo para evitarlo.

@orekix

@orekix Eso me recuerda a una estadística que vi el otro día sobre suicidios en Finlandia. Resulta que en los noventa sufrieron una crisis económica tremenda. Pues, en esa situación, el número de suicidios pegó un bajonazo brutal. Era como si pensaran: “No puedo pegarme un tiro. Estoy demasiado ocupado buscando un trabajo que me permita comer.”

@orekix Yo lo último me lo habría ahorrado, pero es verdad que es un poco coñazo, porque, si te preocupas, te mandan educadamente al carajo. “Es un tema privado.” ¿Entonces por qué lo sacas en público?

Good solid... 7 and a half.

@Willdrick I'm not the boss of anyone. Use what feels right for you. Mine was just a suggestion.