-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Instance Opt-in #1305
Comments
I think it wouldn't be good to create a situation where admins can do it aginst their users' wishes, potentially users who don't want to be bridged but haven't put #nobridge in their profiles because it's opt-in. There's already a lot of frustration over admins being the determiners of who an instance federates with (both in blocking and not blocking) especially without much transparency and the difficulties of migrating away as a user if you don't like the decision. It might also be kinda one-sided since Bluesky is more of a single user experience without really having PDS admins in the way fedi instances do #966 should help a lot with opt-in though imo |
There's some previous discussion about this: #1118 |
TBH, fediverse culture seems to be that you should just go to whatever instance where you like the rules, so I don't think this makes a difference one way or another. Anybody can start their own Mastodon server and post the most terrible content. Federation with that server would still be opt-out (on instance basis or individual basis). So I still think this should be pursued! |
There's definitely a difference in baseline consent between ActivityPub and ATProto. Both user-discovery and search-indexing of posts are mostly opt-in on AP, while they're effectively mandatory on ATProto. I think the most recent example in Newsflip, who implemented following of ActivityPub actors for their accounts without federating those profiles. They tried to get around not receiving content by default by mass-following from a service account, which got That said, it's very much true that baseline consent on individual instances can differ from the protocol at large, so the feature does make sense to me. Instance admins usually do have the tooling to poll their users and establish consent in matters like this, as well as to notify about policy changes ahead of time. To avoid misunderstandings at the expense of Bridgy Fed, the bridged bio on other networks should clearly say that the account is bridged by default because the instance opted in though. |
Thanks for the discussion, all! And thanks @qazmlp for linking to #1118 . We don't really need to reopen the whole opt in vs opt out debate in general, but @h-2 you're definitely not the only person who wants this, a number of other fediverse instance admins have asked for it too. Sounds like there's at least some rough agreement here, at least between you all: it's probably ok for instances to automatically opt their users into the bridge, if they warn people loudly beforehand, during signup, and if users can easily opt out. As @h-2 mentioned, this feels similar to federation in general in the fediverse. Federation with other instances is usually open by default, and users and admins can both block/defederate specific instances if they want. Concretely, here's how this would work, from #1118 (comment) :
|
@h-2 if you or any other Mastodon admin set this auto-following up, please let me know how it goes, I'd love to hear! |
I'm pretty sure that wouldn't work as-is. Mastodon accounts start out without profile picture or bio, and they'd also not meet the account age requirement. |
Good points! |
When an instance is ready to try this, I can exempt them from the spam filter req'ts. |
I don't run my own instance, at least not at the moment. I am more interested in this from a user-perspective, i.e. I would try to convince the admins of the instances that I am on to activate such a feature. It's also, why I think the "follow the bridge account by default" is not bad, but it's also not what's going to bring about major change, since I don't imagine any instance retro-actively changing this for all their existing users. For transparency: I recently opened this issue on the main Mastodon issue tracker, but have received only one (not very helpful) answer to date: |
For what it's worth, there's potentially still that "relay" method I mentioned to get specifically public posts in a lightweight way instance-wide, but that would definitely require quite a bit of setup on the Bridgy Fed side. That would be a nicely distinguishable self-service mechanism, too. |
@qazmlp yes! Do you know of any good technical docs on relays? What the protocol and format are, which activities are expected - ie is it just |
I still can't find any official technical documentation unfortunately, but the gist is that relays are inboxes where you can The relay doesn't need to follow back, I think, (and possibly doesn't even need to be an actor!) though AodeRelay will do so if its relay/instance actor is followed directly: https://git.asonix.dog/asonix/relay/src/commit/a23b30cc91cad42a67c9c8d31ae76f946cca4969/src/jobs/apub/follow.rs After the initial follow is I'd suggest to just use your general inbox and handle everything as normal (i.e. with the usual filters), aside from a special case for that At this point the relay could also start sending public activity to the follower, but for Bridgy Fed I definitely wouldn't do that for relay-follows outside hashtag- or Bluesky-feed-based opt-ins for example. (I do not know how relays handle authorization for those. I guess Mastodon may have an API that tells you who the admin is?) Edit: Misskey handles it the same I think, not requiring an actor. I didn't check for distribution there, but logically it should include user updates and deletes just like Mastodon (because those users are very likely to be known through the relay via relayed posts). |
Btw, I very much agree with this. I tried to make the same point, clumsily, here, before BF's Bluesky support launched:
|
Yeah, it's unfortunate that there's such a mismatch in expectations. Arguably, if an ActivityPub user has all of {
"https://www.w3.org/ns/activitystreams#manuallyApprovesFollowers": false,
"http://joinmastodon.org/ns#discoverable": true,
"http://joinmastodon.org/ns#indexable": true
} and Bluesky as a whole was opt-out (so that all followers are visible and can be blocked if necessary), then that could reasonably be interpreted as Bluesky/ATProto-compatible as long as the bridged profile requests to not be web-visible, but I'm sure there'd still be people who'd complain about it quite fiercely even then. (It'd also potentially behave a little weirdly still, as changing any of these would have to turn off bridging. At least that's theoretically not destructive in ATProto.) (At least |
As a related, but minor point to improve the situation:
is added at the bottom. I would suggest changing this message to something that is more useful, e.g.
The core information that people need, is that they need to also follow the bridge. That's more important than a link to my original profile which most BSky users won't be able to interact with directly anyway. If you feel like adding things to the profile steals too much of the available text, could maybe instead add a sticky post to the profile? That would give more room for a message a la:
|
I strongly prefer the link to my profile, personally. That said, there are a few issues that make what you propose tricky. For one, the profile bio length limit is low on Bluesky, so any added text cuts off more of the bio. Second: Bluesky bios don't support pretty links. They are plaintext that's enhanced on the presentation side, not Markdown or HTML. Third, Bluesky currently doesn't support pinned posts at all. |
I'll reply to #1471 (comment) here since I think this post would be off-topic in #1471.
We should definitely look into letting instances provide ATProto handles for their users by default alongside this feature here. @pcottle In case you're not aware, one of the hard caps Bridgy Fed has with its current infrastructure is how many ATProto handles it can provide at once (#744). As of a few days ago, that was at 28k/50k used, and while increasing it doesn't seem to be too much of a problem right now, I think it's likely you'd exceed that very quickly if you enabled the bridge by default for everyone who has federation enabled. I'm sure you'd also prefer your users to have @snarfed I think we can assume that the account that performs the instance opt-in is also authorised to configure handle defaults for the domain via DM in some way, but Bridgy Fed would also need a way to inform an instance of the relevant I'll sketch two options that are relatively on-protocol, if that's okay: We could DM them to the service account as plaintext separately, but I think a much better solution would be to attach that information as extra properties to the Alternatively, we could send separate activities to users just for DID-and-handle updates, which to me seems the cleanest overall but would require most original semantics. The off-protocol option would probably be some kind of webhook call, but that seems like it would require additional interactive setup. |
I got a mini brief on the 28k/50k handle issue, but I figured we only take up those slots as either people opt-in (in the case of opt-in) or people get followed/followed by in the case of opt-out (which would be a much smaller number). But you're right, if a lot of the tech threads folks start jumping onto the bluesky bridge experience, we might hit that limit. What are the steps for serving AT handle resolution on our domain but not having to host an entire AT frontend? Especially if its just the steps associated with DID: it would be easy for us to defend that work |
Bluesky users can't natively look up a remote account that's not present on their network already, unfortunately. In theory it would be possible to integrate it into the existing request flow though, i.e. when someone requests a user on an opt-out instance (via Chat message to Bridgy Fed uses On your end, you'd only have to set up DNS or serve the |
Thank you @Tamschi! @pcottle, @Tamschi knows the current Bridgy Fed architecture well, all the info here so far is spot on.
This is the key open question for instance-level opt-in right now. In the fediverse, user discovery is pull-based. When you search for someone's handle, your instance/client queries their webfinger and fetches their actor on demand. On Bluesky, though, we'd have to create a Threads user's bridged Bluesky account and profile ahead of time to make it visible. We could do that! And even start bridging their posts immediately too. That's the most aggressive form of default-on bridging, which would generate the most load, and pressure on DNS capacity (#774), and also probably worry the most people from a privacy perspective. The less aggressive approach, as @Tamschi mentioned, would be to bridge a Threads user only on demand, when a Bluesky user requests them. Safer and more conservative, not as good for discoverability. I'm open to both. The first (proactive) way would be a huge increase in load, though, at least assuming we start bridging posts proactively too, so I probably wouldn't do it until we have an org and (probably) funding in place. |
I know discoverability is worse for the on-demand model but I think that's the right downside to choose. In my mind the networks would start to merge like so:
Does that make sense? If threads serves our own DIDs, does that resolve the DNS capacity concerns? |
I think it makes sense for Bridgy Fed to first automatically push an opt-out-instance's ActivityPub user to ATProto when they The DID documents themselves should be served by Bridgy Fed, in my eyes. That saves quite a lot of special-casing on our end. What's the regex for Threads usernames? ATProto are only a subset of DNS-compatible hostnames: #982 I think both active notifications and a Bridgy Fed API to look up the DID for a bridge handle are feasible. The latter has the advantage that it avoids timing issues (" There are a few general edge cases we'd need to decide on, also involving interactions with other instances:
|
its
so we definitely allow periods :) I'm also fine serving just the handle verifications, whatever avoids the DNS issues! |
I assume you have the infrastructure to run a custom DNS server 😅 I think it's easiest if you serve For reference, here is the ATProto handle regex from https://atproto.com/specs/handle#handle-identifier-syntax:
Underscores are replaced with |
Serving the |
Yes, I think so, but with some caveats. In theory you may be able to use a wildcard entry for the entire DNS zone, but a cursory check tells me that could get a bit implementation-defined on the receiving end. Which approach you take doesn't make a difference for Bridgy Fed and Bluesky always tries the other if one method fails, I think. |
I can see that for Threads on demand is the way to go but for other Fediverse instances it would be good to offer the proactive approach, combined with a default mechanism for the instance to give users their own ATProto handles as @Tamschi suggests - the two go together. We have something about to go live which I'll message about |
@pcottle Regarding #1305 (comment): I looked into what's allowed in TLS certificates a bit more and More details at https://security.stackexchange.com/a/39429, it seems it was originally allowed but then changed in the specification because in practice most vendors only allowed leftmost wildcards. Sorry for the earlier confusion. |
I think converting |
Hah yes, we went through this whole arc ourselves, #830 In the end, we couldn't quite get there because we needed to at least try to support all of the different fediverse software out there, but the problem space is obviously more manageable for you all with just a single, centrally managed platform. Looking forward to seeing where you end up on this 😁 |
Bridgy Fed maps |
Well for threads we dont allow Just trying to confirm that threads is unblocked, even if the wider issue isnt quite resolved :) |
The problem occurs if you have both (We'd also need some way to make the mapping configurable per instance, maybe. |
We're only talking about Bluesky handles here, specifically custom domain handles that Threads might set for its users, right? Not AP actor ids or |
Yep I'm just trying to make sure we can map all usernames over to valid subdomains, without ambiguity or collisions. Ideally without using But this is all unrelated to the topic here (instance opt-in) so Ill take this convo elsewhere :P |
Doesn't Bridgy Fed fail to bridge if it can't assign an initial username by itself or if there's a collision with it? |
Yes, but if @pcottle is only talking about how Threads would generate Bluesky custom domain handles, that should be unrelated. |
Unfortunately, opt-in ultimately makes the bridge unusable in practice. As a Mastodon user, I cannot persuade everyone I want to follow on Bluesky to turn on the bridge. In particular, it is impossible to get the attention of celebitry users. The service is only really useful with opt-out. And how cool is this bridge! I also cannot understand the arguments against opt-out: On both sides of the bridge, the basic idea of federation is that the data can be accessed by any other server in the federation, not just current but also future ones. In other words, the data is completely public anyway. You agree to this as soon as you register with a federating social network. Theoretical question: Would you disapprove, would there a reason against it or would there be anything stopping me from simply hosting a modified opt-out branch of bridgy-fed with a new domain myself? Whoever on Mastodon has something against it can then simply block the domain I use. |
Hey, I'm pretty interested in this feature. Would it be possible to exempt also, did mastodon remove the auto-follow feature? I know you can use the cli to make accounts follow someone but I can't find the option in the dashboard? Anyways, seeing as its probably not desirable to bridge a user before they have profile pic I might setup some webhook to wait for that before initiating the bridge. The 2 week old requirement is also going to have to be removed if the mechanism ends up being officially supported. Alternatively the relay options that was mentioned earlier seems pretty promising as a way to "activate" the instance opt-in. But just a traditional API could do the trick also. I'll report back as I get further into my implementation. |
@S0yKaf love it! (We've been talking more in #1537 (comment).) One catch is that Bridgy Fed doesn't yet support split-domain setups like masto.canadiancivil.com, ie where the server's hostname is different than the webfinger domain in users' handles. Sorry! That's #1031. |
@snarfed Could you lift the spam filter for
What isn't supported exactly? because it seems to work just fine on masto.canadiancivil.com . I did notice that it bridged users using the full instance name instead of the webfinger, but besides that everything seemed to be working properly? Is the whitelist something that wouldn't work because of the split domain? Once its tested and working properly I'll most likely release this as a sidecar you can run along your mastodon instance. So it should be pretty painless for anyone who wants to "activate" instance opt-in. ps: I really think the 2 weeks requirement isn't helpful since it can be easily spoofed |
@S0yKaf awesome! I haven't implemented a per-instance bypass for the spam filter, but I can eventually. Until then, feel free to test with existing accounts on your instance that are older than two weeks. Re split domain support, you're right, the main missing piece is just that it currently uses your instance's hostname in bridged handles, user pages, etc instead of the webfinger domain. Details in #1031. (And split domain support should be unrelated to spam filtering, per-instance bypass there, etc.) |
I know that you got a lot of heat initially when starting the bridge as opt-out. I would still like you to reconsider this, or at least allow entire Mastodon instances to opt-in for their users. This would allow us to lobby the big instance admins on both sides to opt-in, while ignoring nerd and niche instances.
I really like cross-federation. In fact, I think it's probably one of the most important features we need right now. However, at the moment this feature is absolutely niche. On mastodon.social the bridge account has less than a 1000 followers ( 0.4 % of active users), and on bsky it has around 6000 followers (0.075% of total users). BUT for proper interaction users on both sides need to have opted in, so chances of two random users being connected are tiny 😢
Have you considered instance opt-in?
P.S.: is there a way to support this project with money? Patreon, Paypal, Github, SEPA?
The text was updated successfully, but these errors were encountered: