honk is rather early stages at this point, with about 17 more schema rewrites alone before it can be considered ready, but here’s a few notes about interfacing with other members of the ActivityPub federation. aka, so you think you want to talk to big M?
I could just run Mastodon myself, but I’m too lazy to figure out how to install all its dependencies and too stupid to run docker.
The first thing you learn trying to talk to mastodon, or have mastodon talk to you, is that it’s not enough to implement ActivityPub. Supposedly that’s the standard that let’s the federation talk to itself. “All servers of Mastodon are interoperable as a federated network, i.e. users on one server can seamlessly communicate with users from another one. This includes non-Mastodon software that also implements ActivityPub!” Not actually true. Key point in AP: a user (or “actor“) is identified by a URL, like https://honk.tedunangst.com/u/tedu. M would prefer that you are identified as @email@example.com. You (or some M user) can put a URL in, but it still won’t work unless you also implement something called WebFinger, which is not part of AP.
Next, you need to sign messages somehow. The AP standard mentions this is a good idea (I would agree), but doesn’t specify how or what, leaving it up to individual instances. Of course, there’s no way to discover what anybody requires, except maybe by downloading the source code. M happens to support sticking a signature in the JSON or using http signatures. In theory, one can use several signature schemes, but in practice it’s all RSA. It’s 2019, and I am writing new code for a new protocol that uses PKCS1 1.5.
Somewhat related, I get a ton of Delete spam. I have no idea who Frankblack is, but I know he deleted his account because some M instance sent me a message. Allegedly. I couldn’t verify the message because the key used to sign it is 410 Gone as well. I’ve only been online for a few days, and I get a steady stream of such messages from all manner of servers that I’ve had zero prior interaction with. Literally first contact is them delivering this account deletion message to my inbox. How did they even know I was online? Why would I possibly care that somebody I don’t know deleted their account? Why does this message need to be propagated to me?
The great thing about standards is there’s the one you’re supposed to use and the one you have to use. AP specifies Accept: and Content-Type: headers of application/ld+json but also mentions you may support application/activity+json. Of course, there’s no may about. You must support the activity subtype, because that’s what you’re going to get. Not to mention that while these strings are supposed to be case insensitive, there are definitely at least some parts of the larger ecosystem that can only handle lower case.
I don’t know how other people use Mastodon, but I found the web experience terrible. You visit an instance, it fires off 100 requests to load styles, and scripts, and sockets, oh my. In the mean time, I’m looking at a blank window wondering if my network is broken. This could be 30 seconds or more, then finally some boxes and windows start to appear. People on medium tell me M is really fast. Not my experience at all. Not sure how to explain the discrepancy.
Maybe it’s better if you only use one instance and never close the tab. But then how do you discover cool new people? You see an awesome toot, you click on the tooter to visit their instance to see more awesome tooters. Why is this painfully slow? And how are you supposed to pick an instance in the first place without browsing around? In any case, I browsed around a few different instances to see what was out there. It was not fun.
Sometimes I landed on a Pleroma instance, which wasn’t much better, and occasionally worse. Big P seems to solve the slow visiting other instances problem by shadowing remote user profiles onto the local instance. Which is kinda weird. You have a profile over there, but also over here? Also, the front end socket rocket factory framework has a fun bug where it simply retries requests after a 403 Forbidden. So if somebody privates their posts, your browser will display a loading spinner while quietly burning bandwidth with dozens of background requests.
I had a more responsive experience running Prodigy on a 386 over a 2400 baud modem. Considering the end goal here is to transmit a few hundreds of characters, I think we’ve lost our way. honk is far from done, but I endeavor to keep it usable by people with only 8GB of RAM.