Looking for #ActivityPub implementations with #RFC9421 support! 🔍

As mentioned in the Fedify announcement below, I've implemented RFC 9421 (HTTP Message Signatures) and need to verify its interoperability with other ActivityPub implementations.

The challenge is that most major ActivityPub projects don't seem to have full RFC 9421 implementations in production yet. If you're working on an ActivityPub project that:

• has implemented RFC 9421 (even in a development branch)
• is currently implementing it
• has plans to implement it soon

Please reach out! I'd love to collaborate on interoperability testing to ensure our implementations work properly with each other before merging this into #Fedify's main branch.

Any leads or connections would be greatly appreciated! 🙏

We are implementing the final version of RFC9421 (HTTP Signatures) in Mastodon, and would like to test this with other ActivityPub implementations.

Do you know of any AP implementations supporting both incoming (verification) and outgoing (signing) RFC9421 signatures, and if possible with support for the double-knocking mechanism as described in https://swicg.github.io/activitypub-http-signature/ (section 3.5)?

@jim They're all generally internally consistent and interoperable. My point re authn/z, was that #ActivityPub for example doesn't define particular mechanisms, which is why an independently developed AP-client and AP-server can't talk to each other. Ditto AP-server w/ another AP-server. That's based on spec, as opposed to specific implementations agreeing on terms prior to communication / out of band. What's out there is mostly a software implementation offering both AP-client and AP-server.

Looking at Solid Project: Can anyone give an overview of how this fits together with or complements ActivityPub?

https://solidproject.org/TR/protocol

@strypey @skyfaller @hugh @bob

I did not mention a #SocialHub thread. There are multiple discussions where various aspects were discussed, that might still be useful. The search facility is best way to find them.

As for AndStatus the github issue lists their step-by-step progress in investigating what was needed, and what the challenges were. One of them was unavailibility of appropriate server back-ends to test against, mentioned *at the time* as challenge.

Would ❤️ more #ActivityPub C2S dev.

@naturzukunft
> rdf-pub.org is providing c2s

Awesome, so that's at least 3 server packages to test clients against. Pleroma, Epicyon, and rdf-pub.org.

#ActivityPub #C2S

@smallcircles @skyfaller @hugh @bob

@smallcircles
> what is needed client-side can be found in the AndStatus project ... there were among others no server implementations to test against

Seems like Pleroma had it working before mid-2020;

https://pleroma.social/announcements/2020/05/10/pleroma-security-release-2-0-4/

The Epicyon server has support for AP C2S too, so that could also be used to test apps trying to implement it;

https://libreserver.org/epicyon/

Was any of this mentioned in the SH thread?

#ActivityPub #APC2S

@skyfaller @hugh
@bob

@skyfaller @hugh

Also #SocialHub #ActivityPub developer forum has a bunch of C2S-related topic. You can use the forum search facility.

https://socialhub.activitypub.rocks

A very detailed investigation on what is needed client-side can be found in the #AndStatus project. It was never completed AFAIK as there were among others no server implementations to test against.

As far as I understand, most (all?) fediverse #ActivityPub software does not use the Client-to-server protocol from the specs (https://www.w3.org/TR/activitypub/#client-to-server-interactions) but rather use custom APIs instead.

Any fediverse devs able to explain why? Is there a technical reason/limitation, or is it more about other considerations?

I'm looking for information here rather than speculation, thanks.

:boost_ok:

I added some basic #activitypub support to humungus based on the #forgefed vocabulary. Repository, Commit, etc. And of course updated #honk as well. So now you can follow the honk repo from within honk itself and see all the commits fly by. Still a work in progress, but it’s live now. Probably do a longer write up next week.

Within the context of threaded discussions, contexts (aka "topics", "posts", "threads", etc.) are associated with an audience (aka "forum", "category", "community", etc.).

What happens currently when a context is moved from one audience to another? How does ActivityPub enabled software communicate this?

I recently moved this topic from one category to another, and in doing so, realized that I have absolutely no idea what happens to the group association as seen by other software.

@rimu@piefed.social also said in the other thread:

Also moving what NodeBB calls a topic (a post in Lemmy/PieFed) from what NodeBB calls a category (community in Lemmy/PieFed) into a different category (without spawning a new topic or leaving the old copy behind) is much needed but not implemented in Lemmy/PieFed/Mbin.

One solution would be to federate an Update activity, though this is problematic because audience, the relevant field in question, is on its way out.

Another solution would involve the Move activity, which would be an explicit signal that something moved somewhere. In this case, the Move would indicate the context moved to the new audience, or in AP software that have not implemented FEP 7888, then the top-level object will have moved to the new audience.

cc @andrew_s@piefed.social @melroy@kbin.melroy.org @bentigorlich@gehirneimer.de @nutomic@lemmy.ml

Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.

When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance follows you on your locked account, anyone on that Pixelfed instance can read your private posts.

I wrote a blog post about how I found the vulnerability, how disclosure coordination went and general ramblings about Fediverse safety:
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html

I just discovered why some of my followers from larger #Mastodon instances (like mastodon.social) would mysteriously unfollow me after a while!

A pull request was just merged in Mastodon that fixes a critical bug in their follower synchronization mechanism.

Turns out Mastodon implements the FEP-8fcf specification (Followers collection synchronization across servers), but it expected all followers to be in a single page collection. When followers were split across multiple pages, it would only see the first page and incorrectly remove all followers from subsequent pages!

This explains so much about the strange behavior I've been seeing with #Hollo and other #Fedify-based servers over the past few months. Some people would follow me from large instances, then mysteriously unfollow later without any action on their part.

Thankfully this fix has been marked for backporting, so it should appear in an upcoming patch release rather than waiting for the next major version. Great news for all of us building on #ActivityPub!

This is why I love open source—we can identify, understand, and fix these kinds of interoperability issues together. 😊

Happy Tuesday!

Today we've updated the NodeBB community forum onto the remote-categories testing branch, which means that users on the open social web that identify themselves as "Groups" will be rendered in NodeBB as categories. Prior to this, they looked like users.

Here are some examples of remote categories:

• Comic Strips (on lemmy.ml)
• Star Trek Social Club (on startrek.website)
• Social Web Foundation (a WordPress blog)

ActivityPub "groups" and forum categories have quite a few things in common — they don't usually post topic themselves, they "contain" topics, and they are usually administered by a separate group of users (moderators!) In many ways, these groups lend themselves to categories much more easily than they do as users.

Notes:

• We will likely be releasing this as v4.3.0-alpha this Wednesday. Probably this means you don't want this on a live forum just yet.
• A lot of the backend logic is complete, but a lot of the frontend UX will be worked on.
• You can "search" for categories (via "in categories" in the search page), paste the full handle in order to instruct NodeBB to pull a new category in.
• You can now no longer mention a remote category. Instead, create your topic right in that category itself. As it should be :smirk_cat: .
• Remote content coming in that is slotted into a remote category will still show up in your "world" feed. That is still intended to be where discovery of content outside the local NodeBB instance will take place.
• Report any bugs or confusing behaviours (and there will be some) here.

Screenshots

@infinite love ⴳ

we might not ever be able to repay the technical debt

Saddling small sites with the same duties as huge platforms means many will shut down in a hammer blow to net plurality.

We'll be left with the Sophie’s choice of monopoly services; the incubators of online harms.

URGENT: The UK government must change the Online Safety Act to protect safe, non-commercial blogs, forums and fediverse.

Write to your MP to #SaveOurSites 🌐

https://action.openrightsgroup.org/save-our-sites-write-your-mp

Hi @andrew_s@piefed.social/@freamon and @nutomic@lemmy.ml —I'm working (not-so-secretly) on refactoring NodeBB so that it is able to "browse" remote audiences/group actors, and that would include things like PieFed and Lemmy communities.

N.B. Given varied nomenclature (group/category/community/subforum), the ForumWG calls this structure an "audience".

Where I am at now is working through the logic for slotting an object into a category.

The most obvious choice here would be to look at as:audience. It's even specified in 1b12, and the majority of threaded implementations follow 1b12.

I am making this post because nutomic explicitly removed the audience from being served in Lemmy (as of January this year), so I don't think relying on that property would be wise.

I asked in that issue whether Lemmy finds community via to/cc (it does). Does PieFed do the same?

Would this also open up the possibility of a topic/context being part of multiple audiences/communities? Interesting...

@hamishcampbell@mastodon.social recently made a statement that got me thinking about our place in the open social web, and the direction it's going.

He says to @deadsuperhero@social.wedistribute.org and @evan@cosocial.ca re: SXSW

#FediverseHouse this feels like an irrelevant echo chamber, I really miss the grassroots #DIY that built this space in the first place. This #maistreaming is too much noise vs signal... currently the grassroots #DIY space is a hollow shell

(two posts combined)

That immediately got me on edge as someone new to ActivityPub in 2024. Does this mean I'm "mainstream", and somehow "bad"?

Mainstream adoption is good and a step in the right direction. I personally think ActivityPub isn't ready for general mainstream consumption, but we as a group are rapidly closing the gap and I'd much rather continue building momentum instead of waiting for the opportune moment.

Here's the hot take that I was going to originally write, but thought came off as too combative:

It sounds like you feel like ActivityPub development only counts when you're toiling away in obscurity.

As someone who's hacking away on a platform that hasn't been "mainstream" for over a decade (forum/BBS software), I bristle at the notion that what I do doesn't count as grassroots or DIY. You don't have to be the perpetual underdog to do good in the world.

I might be wrong, but it sounds like Hamish feels like big players are coming in and taking the ball away... that big players' clout and presence takes away from the attention that smaller DIY projects receive.

Maybe... but if the fediverse is 100x larger with a big player, and they take 99% of the eyeballs, have they really taken anything away from you?

@newyorktimes's veteran tech reporter John Markoff interviewed some of #TeamFediverse including @Gargron, @reckless1280 and our CEO @mike for a feature on the rise of decentralized social media. “It goes back to the original principles where the internet started out as decentralized,” Eugen Rochko told Markoff. Here's the full story [may be paywalled].

We're so excited to develop these conversations further at SXSW this weekend — check out the itinerary and sign up to join us at #FediverseHouse at the second link.

https://flip.it/NcjhLL

https://lu.ma/xbve5fa0

I'm finally unveiling the #ActivityPub project that has been consuming my weekends: Encyclia, an #ORCID bridge that will make ORCID records followable and interactable on the fediverse. 🙂

It's early-stage and the ORCID following function is not publicly available yet. We're seeking community feedback on functionality and safety aspects. Read more at https://encyclia.pub or follow @encyclia for news!

Wanted to start a convo with @johnonolan@mastodon.xyz from Ghost and @angus@socialhub.activitypub.rocks from Discourse about AP resource discovery.

A common use case from fediverse users is to be linked out to a site, and attempt to "bring it in" to their local instance/app of choice. This is done by taking the browser URL and pasting it into their site/app's search bar, or equivalent.

For example:

• Ghost: https://activitypub.ghost.org/warp-factor-5-mr-sulu/
• Discourse: any forum topic

For context, last night I discovered that Ghost's latest blog post didn't make it into NodeBB, due to a bug on my end. I attempted to resolve it via URL but there was no AP resource at that URL. I ended up having to query the instance actor (which I happened to already know), and looking at the outbox.

To my knowledge there is no way to find a Discourse post or topic's AP resource ID without having a local Discourse account.

Would it be possible for you to send back an HTTP 301 Moved Permanently (or similar) if the Accepts header contains one of the AP-related types?

N.B. This probably has some overlap with @evan@cosocial.ca's HTTP Discovery Task Force, a 308 is recommended there.

Even before the arrival of #atproto was the question of what #decentralization of the web means quite murky, with multiple competing protocols at different abstraction layers. As frequently said, at one level the web is already decentralized so envisaging pure #p2p is also conceivable, why the need for #activitypub (or whatever) "servers"?

We come to realize that the problem is not well defined. First of all it does matter what you assume about the distribution of silicon and networks...

1/

Yes, of course Peertube sends hashtags without the #, why would I expect otherwise? :laughing: