I think putting it into the VCS itself (e.g into commit, repo, or config) is not the way to go.
Hmmm can you please explain your thinking, why you think putting the URI in the VCS isn’t a good idea and using an index is a good idea?
Here are some of my thoughts about this
The way I see it, putting the URI in the commit is the best way. The ForgeFed actor URI has the same status as the email address: It’s a way to identify the author, to contact them, to send them patches and so on (and it should work even when the author email isn’t even provided). In the same way the author email is attached to the commit, the actor URI can be too. Perhaps, should be.
Putting the URI in the commit allows to associate GPG signatures on commits with the actor URI. It also allows ForgeFed not to depend on email addresses. The email-to-actor index complicates things, and forces people to use email. Also, email address hosts have no obvious match with forge URLs, so, given an email address, how do you even know which forge to ask? And what if that forge happens to be offline? And what if that forge doesn’t exist anymore?
Putting the URI in the commit just seems like the easiest most secure option, because it would work in the same way author email works. Introducing a level of indirection ties ForgeFed to email addresses and introduces a whole new model with its own security implications.
Obviously, existing commits don’t have any actor URI attached to them. And then indeed we need some other way. Ideas:
- Remember that some commits are made by people who aren’t on the Fediverse at all, so there’s no actor URI, and in ForgeFed that could mean just having an object for
attributedTo that doesn’t have an
- For signed commits, find the actor URI attached to the GPG key (is it possible to do that, and to publish to a keyserver?)
- If the email address is in use by a local user, can we assume it’s them?
- Use some kind of index? But I’m not sure how. The safe way would be to have email servers be the authority over this, but Idk if that’s reasonably practical. Matrix has this identity server thing, but AFAIK it’s not federated and almost everyone uses the identity server run by matrix.org? I’d like to try not to introduce a centralized component.
Perhaps it’s also reasonable to just apply some guesses when the actor URI isn’t in the commit (look at GPG key if commit is signed; check if email address is associated with a local account; check if email address is associated with a known remote account; check if we have some existing Commit in which this email address is already associated with some actor URI), and over time people will be putting actor URIs in new commits and this problem will gradually disappear.
Indeed for the avatar we can use the email with Libravatar without needing the actor URI.
I’m also wondering whether we can/should do some public matching between the actor URI and the email address. Is that secure? Generally email addresses are privately used for login and for password reset, like, generally on the internet. Using email address hashes would be an improvement, I suppose, yeah. But we also need to consider how that index would work: Is it good enough to trust the “known network?” And more generally, what are the uses of the actor URI and how bad is it if sometimes it won’t be available? I suppose we can add an
emailHash property to ForgeFed. Or is it better to add the email address itself? Is it a good idea? Does it cause any privacy/spam problem that doesn’t already exist?
Everyone’s thoughts are very welcome, please share