Comment by steveklabnik
3 years ago
This is a private beta. Nobody is suggesting that any of this be used for anything serious just yet. Development happens out in the open, you can go find out what else they've missed by doing the work, or by waiting until others you trust have done so.
I myself have had an account for like a month now, but only started really using it a week ago, because that calculus changed for me, personally.
Like, it's not even possible to truly delete posts at the moment. This all needs to be treated as a playground until things mature.
This isn't even the first "scandal" related to this feature already!!!! There is another hole in what currently exists that allowed someone to temporarily impersonate a Japanese magazine a few weeks back.
Dunno. That’s such a fundamental piece of thinking you just have to come across in the design phase, I don’t know how you would build a beta that didn’t avoid the issue in the first place unless you had a flawed take on security in the first place.
It is surely easy to cast stones at a single bug, but I don't think that's the right way to look at things.
I wouldn’t have made my remark if this would just be a bug, though. We’re looking at a bespoke domain ownership verification mechanism that doesn’t handle its primary usecase well, failing at something solved in lots of different ways over the past decades.
I have written atrocious bugs over the years, so I’m definitely not in the stone casting business here. However, I can’t see this as simply a bug, rather than a fundamental design flaw. And if an entity is both becoming infamous for reinventing the wheel, and attempting to fill a sensitive niche, I feel it has somewhat of an obligation to accept criticism such as that.
1 reply →
"We'll build our own validation instead of using one of the existing standards that make perfect sense." is not just "a single bug". It's a flaw in architecture.
A PR of "Change external domain validation to use .well-known (or DNS01, etc)" is not a "bugfix"
3 replies →
Okay, yes, but this indicates that they didn't read the ActivityPub before developing their own new shiny protocol.
Paul has lots of experience designing protocols. He designed SSB. ActivityPub does a lot of things wrong from first principals.
The whole point was to start from scratch.
> ActivityPub does a lot of things wrong from first principals
I'd be curious to learn about those.
4 replies →
I don't personally believe that one mistake indicates ignorance of an entire topic.
In general - no, but this kind of fundamental mistake might.
8 replies →
The pull of NIH is a strong one.
But this isn't a implementation issue. This is a fundamental design issue. If their design philosophy is to throw stuff against the wall and see what fits then I don't see this as ending up as better than the existing fediverse.
Are there any Rust implementations of the protocol yet :vv:
Multiple, in varying degrees of maturity. And I'm also writing one from scratch, don't know if I'll bother to share it with anyone though, I just want to learn more deeply, and implementation is the best way to do that.
I have my eyes on https://github.com/sugyan/atrium as a foundational library in this space, and expect folks to coalesce on it. But we'll see.