| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by jeroenhd 1060 days ago

I've been looking into hacking ActivityPub into some projects that I run but there are a lot of caveats. For one, there's "ActivityPub" and there's "ActivityPub that Mastodon (and therefore most of the Fediverse) can interoperate with reliably".

For example, Mastodon has some artifical requirements that add signature requirements to public APIs to reduce bot and spam load. This isn't in the spec as a mandatory requirement, but if you don't do it then parts of the Fediverse won't be able to follow you. There are also expectations attached to certain activities that aren't in the spec but will confuse people on most other servers.

The easiest solution I came up with was to run a server that already does all of the hard work (gotosocial, Mastodon, etc) and call its API to add new posts.

1 comments

nightpool 1060 days ago

"that add signature requirements to public APIs to reduce bot and spam load" Hmm? Are you talking about AUTHORIZED_FETCH? That's specifically an opt-in (and discouraged) feature that's meant to reduce the possibility of blocked instances retrieving your posts and displaying/replying to them on their own servers, it has nothing to do with bot or spam load.

"This isn't in the spec as a mandatory requirement, but if you don't do it then parts of the Fediverse won't be able to follow you."

I don't think this is true even when using AUTHORIZED_FETCH, Mastodon still displays the minimum set of Actor information necessary to complete a follow request (public key, username, etc), so I don't really know what this part of the post might be referring to.

jeroenhd 1060 days ago

Authorized fetch is just one lever to pull in the massive moderation machine that Mastodon offers. On its own it's not very useful, but together with decent configuration it can help against scammers impersonating accounts on your server from a similar domain. Twitter is full of people who replicate other accounts and add random racist shit for some obscure reason (a deep grudge? Mental illness?) and without authorized fetch you'll have no way to effectively block such scrapers.

Enabling authorised fetch breaks federation with several other servers and some apps as well. Previously valid post IDs may suddenly become unavailable or break, which some services trying to backfill posts absolutely cannot deal with.

I believe actors are available as barebones actor information not to break federation completely, but I don't believe this type of compatibility is available for individual statuses.

Personally, I don't see why I shouldn't enable the setting on my own servers because the extra control it provides is probably worth it for the few exotic broken servers out there, but it's a gotcha if you expect the protocol to work as described in the spec alone.