This is the transcript of the talk by Nilesh Trivedi presented at Git Commit Show 2020.
About the speaker
Nilesh Trivedi is an open source enthusiastic. He enjoys programming and Ruby in particular. He also likes to learn new skills, and that has been true for more than two decades. In this talk, he will be focusing on how to get started with activity pub, decentralized social networking protocol.
I decided to talk about an activity pub. It's a relatively unknown protocol however I think it will be as important as something like HTTP it's a WTC recommended protocol. So the final status impressions have been completed. It is now 1.0. But many developers are still uncommitted. So I decided to take this topic and I have some practical experience with this so I can answer a lot of your questions. So as I said about myself, I like open-source software. I enjoy programming and Ruby in particular. I also like to learn new skills, and that has been true for more than two decades. So here is something that you might have noticed last year. Last year, Twitter ran into some controversy because they were censoring or they were refusing to censor certain accounts. And that angered a lot of Indian users. And they discovered this app called Mastodon Mastodon is supposed to be an alternative to Twitter. with a difference. Right. So the code is a centralized system. Twitter. Is a central entity where all the accounts are maintained and all the tweets are maintained The governments can go and force them to delete accounts and they can decide their policies. And somehow some in some situation that runs into difficulties because not everyone agrees on what the moderation policy should be. So mastodon suddenly became popular. And, you know, people it got coverage on BBC and all over the portals and then usage.
Well, thousands of people discovered mastodon and then switched to it. So what is this mastodon? Mastodon is an app that implements the activity per protocol. So it is a very, very simple explanation of the way you think about email for messages, activity pub achieve the same paradigm for social networking. And we have seen how email has stood the test of time. The email was invented in the 1970s. And today, you know, we are here in 2020, 50 years. If a protocol is standing 50 years of a test, that means that the architecture is really solid And the reason that works is that email is a federated protocol. You can have your email server. I can have my email server. I can create accounts on my server. You can create an account from your server. You don't have to be subject to the whims and fancies of each of them. And yet we can still communicate with each other. This has not been the case with Facebook and YouTube and Twitter and all this. Centralized platforms have taken up since the gunfight. I would say Gmail came along and sort of stuck at this time. But the email is still implementing a standard protocol. So the core idea here is. If we allow people to run multiple servers, which can synchronize with each other.
All they needed to do was as a user, I shared my activity pub id which is usually the user ID and they just followed it within their client apps right so this works very seamlessly. And such a simple thing to implement as you saw that they are just for scrambling to implement a webbed finger to discover information about a user, that the response will have the link of that URL after you will return an object which has the inbox URL and the outbox URL where your inbox will be used, where your server can post to my server for each user. So to say that, OK, I want to follow this guy, I want to unfollow this guy and outbox is only necessary when you want to read from we want what you want to do up all from what this user has been doing. So. And in my case, what I'm doing is keeping a record of all the followers and when something interesting happens, when there is an event to publish. I just read through all the photos and I just pushed this activity, event to all of it. So using just these four routes in the right way in the scheme of complaint with your app will integrate with the rest of the world. And it has several apps that I've been using on my mobile. I'll be using this app ASCII. It's a Twitter equivalent, but it works with the server that I'm using for my microblogging, which is posted on dot org. And it's been working quite well. And I hope that you know, it seems like it's not tricky. The trickiest part is this signal fiction part. And as you can see, it's not many 10 lines of code. But once you do this, it only needs to be done once. Then your app is part of the entire ecosystem. And this is that. My main point is that this activity pub started as an equivalent for building a microblogging network. But if you just think about it, what is going on here? It's a distributed protocol for the entire Web. Apps can subscribe to each other across domains, across owners, across servers. Right. And something interesting happened. It can be a public broadcaster to all the subscribers. And they can do apps, can follow each other and the systems can follow each other. AWS can become a publisher of activity pub events, all your monitoring dashboards can become activity pub clients. So it opens up several possibilities. And I think as developers, we should look at activity as a generic powerful Blu It allows us to build far, far more interesting applications. And to them, we are also solving the problems like centralization and censorship and filter bubbles and other things. So this is all the introduction that I wanted to give for the activity pub on the defining part. Or when I'm sending a message of yea so when I'm sending a message to your server, I need to find it. And therefore, because everything that I do is a request order that I know that it's out of the four. And then those are the same things that they end up putting in the movie. So it's a fairly simple method. There are some things that I can share. I think I dislike showing it if we want information and that's it. A summary of what activity is, how it can be implemented. And I hope I'm able to get you excited about how your apps can fit into the rest of the ecosystem because that's where the true value will lie. So I'm here for any questions that you might have. Thank you so much for letting me speak. Amazing. Thanks a lot for this presentation. Nilesh, to the audience, you can ask the questions on the living git-commit show get there. It's a question-answer chat sections section on the right of your Livestream. So do use that to ask any questions you want to. And there is a button over that which you can use to show appreciation for the speaker. And it will give us feedback as well about the talk about the sessions that we are doing. So I have lots of questions. And Nilesh here Oh, it's wonderful getting to know about activity pub and our feeling that, yes, we can create our social network. Before that, it was complex and we needed to make lots of decisions. And I think the activity pub is cutting down that part. And we don't need to make so many decisions, rather focus on the best practices which have been put in in the form of protocol. So this is great to know. So the first thing that comes to my mind is that all the data is public. Is it so? Not really. But it was designed for social networking, and it's not a private messaging platform. But there is support base support for messages which are fully, fully end to end encrypted So if you want to limit your message to a certain group, maybe one individual or a limited number of users, you can do that. And if you have tried Mastodon, you can see that that's how it works. I can just quickly share my screen to show you again. Oh, sure. So this is my mastodon. As you can see, it looks very much like Twitter.But when I am posting something here I have an option. But I want the message to be public or understood or followed only. Now, this is not unique to mastodon This is all part of activity.pub And the protocol supports that level of granularity. Got it. So there are features of which there are some more data films probably, which define the privacy level of each content that we are sharing. Yes. And got it. So. But anyone can send a message that is for sure because we are making our ID public. Is it correct? So, yeah, again, as I say, a very simple way to understand this is like. You can host your email. If you don't like to host your email, you can subscribe to email. Hosting providers are in the worst case You can just sign up on someone else's server like Gmail Right. So you have this various levels of detail, whatever control you're comfortable with, whatever security that you want, whatever privacy that you want, you just choose what is appropriate. And if you stop liking someone's governance and governance behavior, you just move and port your account to another provider and will continue to work. Related. What do you mean by that? I think you mentioned that, so for example, right now, if you don't like what Twitter is doing, you don't have any choice at all. Your followers are on Twitter, but an activity pub that portability is there. So there's a seamless way of redirecting users from one server to another server, and you can just start publishing your new identifier of the new server. But anybody who still goes to your old server will automatically get to a new identity.
So it is designed to be very portable, very user-friendly. But yeah, just think of the way email works. I can host my email server. I can use SendGrid, I can do databases or I can use Gmail. All these possibilities are there. Some people are paranoid enough that they will run their email server inbox. And that also. So at the activity pub, I can give some insight as a mastodon is written on rails and it's slightly heavy on the memory side. But I was able to run on Raspberry Pi, so I was running a full-fledged activity pub network, which is equivalent to Twitter on my Raspberry Pi. It's like five hours of power of always-on connectivity. So multiple implementations exist. You don't have to be, you know, satisfied with whatever one vendor is providing. You can use any one implementation. You can try on or so similar to email. Are there any ways that this specification talks about how to deal with spam? So again, here, though, the spam can be controlled at each instance, a level that everyone who is running a server, they are the administrator of that server. They can declare certain policies. So an activity.pub a lot of servers have declared that they will be not accepting any messages from, let's say, oh, activity servers running in North Korea. Right. You can put a whitelist. You can put a blacklist, And at the admin level, there is a lot of management possible. And therefore, you are incentivized to just find the good elements that you can trust. Right. If your expectations are high and then you want a high level of control, then you run, your server with whatever places that you want. Or just so that it's not covered by the protocol, the other layer could be put on over this again. So it's the same idea as the email server will it inbox provider will control what is called spam, what is not called spam. Same idea. Or it could. So one thing I will get is before that. What type of content is supported, you shared out there is content specifically and you can put all your messages there So what kind of message is this? Just text or something else. So they have different types of text. There's audio, there's video, there are files that you can send. So people have using people are building Google Drive equivalent using activity.pub So there's a project called Next Cloud, and that implements activity pub And with it, you can transfer files that can be as big as you know. And so it's just a schema and schema can be made very flexible as long as you get the core concepts. And the core concept here is that every user has one inbox and one outbox in the cloud. And that just opens up several possibilities. So how you implement the content, it's up to the user whether you want to include it. And so the vocabulary like this is something of a note, the note is like a blog article. And that vocab is extensible. You can create new object types for tomorrow. You might say, I have an object type call app or I have an object type called course. And it's an open-source standard. So people will implement support for it and they know it can just get adopted. They are not bottlenecked by a single corporation. OK, so what you mean to say is that we need to add more of our fields on top of what has been specified by this activity protocol. So in most important native support, in most cases, you will not need to do this. So, for example, I had an object type called Libby, but I was able to leverage the note I because I did share that. Yeah. So, no, note type is essentially a text message along with a link. OK. And that's all you really need for sharing some text along with the link and then some data like it could have MediaLink images that would use a password. So in most cases, you will not need to extend the vocabulary. But if you need to, let's say, for example, you want to share places or calendar events, in that case, the open-source standard. Anyone can suggest ideas and they'll get an update. Is there any example that you want to show here about this? A good example, guy. I don't think I have an example. OK, cool. So what about this? So there is an RFC for this already, which has the proper specification, which has all the details that you have talked about. So I was just going through all that. All there are different kinds of details, over there As you have mentioned, this object is that actors are their collections are their client to server interaction, server to server interaction, then security consideration and all these things. So this seems like a very detailed document. So this reminds me of when I was reading RFC for this, also, I wanted to implement this authentication in my application, and I read at least 10, 12 different kinds of RFCs related to it. So I would say so. Auke is much more complex than activity pub but it turned out to be a fairly simple protocol to implement. I just had to implement, you know, inbox and outbox and it was done, you know, what is a beast? So one that's one thing. What it reminded me of is all those RFC documentation, I think we should read it. And that's the best place to go about it. But for the start, is there any easy way, like is there any library that we can use for activity pub? So libraries will depend on the language that they're working with. And that's a website that I took that image from. It's called Activity Pub. They have a very good question. What you can do is you can go to learn awesome and search for activity pubs that exist as a topic, and you'll find learning resources about active pubs Some of them are collectors. The collection needs to be improved, but still, there are some starting points out there. So activity pub says all the different kinds of libraries that are to do, all you have to do is go to learn awesome and search for activity pub. In fact. Got it. Good to know. Yes. About the authentication, U.S. sharing, that there is a signing mechanism to verify whether this server is from the website. So this is what can be called, let's say, a server activity. So, well, call it. So is there a way under a different road from the user to the activity pub? So I think it's okay to go a little bit into detail here. Yeah. Let's say you are a consumer of those events. You are using some activity pub app like Mastodon or something. And I am posting reviews. My server is posting reviews You and you want to be sure that this is correct. It has not been tampered with. It is not fake. There are two kinds of levels of security. One that it is coming from Learn Awesome. And second, it is coming from Milledge. So an activity pub lets you do either of those. What you need to do is decide in the implementation stage whether you want to maintain a key pair for every user separately or just want to maintain one single pair for people for the server alone. So the second choice is what I've made for something.
As you can see in the code, I was sharing a public key head that appears to be the same for all learning awesome users. But the protocol doesn't mandate that I could have maintained a keypair for each producer. And the message that your server would receive would be signed with that. So you would get a guarantee that yes this message is coming from the Nilesh only even learn awesome some server could not tamper with that. Now, in my case, I've sort of chosen a simple solution, which is, OK, one is good enough. But most implementation will achieve this, that every user will maintain a key pair on the server and each activity will be assigned, whether I like. Got it, so we can use this keypair for our different users, different keypairs Yeah, every user can have a separate keypair. Maybe your app your Web app can allow the users to upload their keys. This is what GitHub does. You can upload your keys like the public key and all the comments are signed by your private. You could implement something like that. It depends on what security versus convenient straight you want to achieve. Or so, using these libraries that we can find activity pub. How much time do you think it'll take? What I was going to take you to create a simple solution, as you have said, inbox outbox indicators analyst for me it took three hours.That's also like one and a half hours spent just figuring out the signature verification because Mastodon is there. mastodon is an open-source rails app that implements activity. So I got some ideas from there, but their code is very complex for like from my perspective, from what I wonder, what is a very simple implementation. So that makes it pretty easy to implement And you know, and just three hours without using any level, it is just using the stand-up. OK, I received this in this inbox, the route I have to publish. This is one of those outboxes and then I have to mix it up. So it's not a lot of effort, and yet it can unlock a lot of capabilities. So it's like machine learning in that regard. So, well, implementing this, did you find anything, any part that is missing there or any part which was the most challenging part? What was the most challenging part in creating a complete production-level app? Hmm. So I would say that for every language, we should start seeing ready-to-use libraries to, you know, just plug it in. And then, you know, the app is an activity pub complaint, we just map it to the right objects. I think they would help, but I don't think that's a very strong missing piece of it. As I said, it just took three hours. So without those libraries, you know, it's still only three hours of work, no matter what level you are at. So I don't I wouldn't say there's a big missing piece. But, yeah, it helps that all of us are reusing the same code. And it can be made sure that it's secure and it is up to date and it is a standard complaint. So those libraries will start helping. I think they do exist for many other languages. I could not find something for Ruby that was very actively maintained. So it was easy enough for me to just implement it on my own. The good part is that I started promoting activity pub or public only when it has reached the WRC recommended status, a protocol goes through a lot of iterations of alpha-beta and I and zero-point five-eight. But once it reaches that recommended status, you can be confident that, OK, now it is stable. Now it is not going to change in fundamentally different ways.So that stability is very, you know, it invokes confidence. And that's a very good sign that, OK, now it's ready. I think the Twitter CEO sometime last year said that they want to centralize Twitter because they are under tremendous pressure off, you know, from the government. And, you know, many people just recommended they know where to deposit money. That's what they should call it. We'll see what happens. But in the meanwhile, the alternatives are quite good, I would say, and of the communities are worth checking out actually for developers and technical people, at least while the masses are still taking time to come. But there's a lot of content. There's a lot of users posting regularly. So it does feel like, you know, Facebook in the early days. OK, so you said decentralized and decentralized requires a common specification, common data types. So that's what the activity pub is doing. But you also said that the user is free to customize it specifically. When we talk about major things like photos, videos, or some type of content, how do you implement that? If it is left open to the user to implement it the way they want it, will we have a Common data type over there, or what is the way to go about that for different content types? So, again, in that email analogy, the protocol is stable. The protocol tells you how the message can be sent and received. What filtering you want to implement is left to the implementation by the Mastodon is one of the implementations lobotomized and other implementation journalism is another implementation to be another one. And this implementation will make their own decisions. Some of them will say, OK, we'll give this control to the users. Some of those will say that, OK, we have we know what is good for you and we have made those decisions right. And that is space for all kinds of options. So, yeah, the filtering capabilities will boil down to the implementation, not to the protocol itself. So if you want to know how Mastadom does filtering, then we should check out most of them. Pleroma, for example, is supposed to report, but it is also compatible with mastodon. So I can sign up on some of the pleroma servers and subscribe to anybody who's using them. So, yeah, filtering is left out as close to the user as possible, because that is the way it makes sense.
The core protocols will be as dumb and they should be dumpsites like this if we feel like they should not have a lot of intelligence built into that layer. So it's an idea from a couple of times we are called to move the intelligence out on the edge, but not at the center. Also makes sense. So I think this is already useful information and helps people accelerate their learning in activity pub and on. I have one more question, which is related to more of a theme of the topic, which is the pursuit of mastery for the pursuit of must be is the theme of this conference. So do you have any thoughts on sharing about mastery, what you understand, or anything you would like to share? And at the same time, let me combine a couple of questions in this one only. So another question will be what uh, what ideas would you suggest for people to become fast learners? And then the third question, if you can answer all of those together, what is your favorite book? Hmm. OK, very interesting questions. I've done hiring for almost 10 years now, or I've seen lots of people grow and develop and become better at their jobs. And some of the learnings have come from there. One is, though, there is a very clear difference in mindset that makes a difference. So I think Carol Dweck talks about it as a growth mindset. And there is a fixed mindset that the people who have a growth mindset believe that, OK, I can learn this, but they are not afraid. They are not afraid of failing, but they are not afraid of trying. And that mindset is the number one key. That's why, though, if you sign up for Khan Academy, they spend a lot of time just giving you that mindset that, yes, I can learn this, I can learn this. So once you have that growth mindset, you will be open to challenge, Then don't look, you'll not look at failure as a failure. You'll see it. OK, well, now I know what doesn't work for me right now. I know what I'm not currently good at. And you just start that shift and then things make you think it makes a lot of sense to have a good attitude, how you approach work, how you approach learning, what you do in your spare time. So that is a number one thing. So this phenomenon is quiet, very well known. Writer Carol Dweck's book became very popular. The point that I would like to add is that if you have, let's say, 20 hours, a look at learning some new skill. I would spend at least four hours just researching the right material that is one-fifth of the time I'm willing to spend. OK, discourses taking this approach don't work for me. So, for example, when I was learning Jurf for a project sometime last year, and I've never done closure, I've never done any less. I came from Java. It'll be. But I'm kind of a beginner. But using the website that I found, it's called The Next Environment, it's better using that site. I was able to become, you know, like 50 percent productive within three hours. So it took me two hours to find that. But spending time on finding the model that works for you, for example, you might be more attuned to podcasts, because the only time for learning that you have is on the way to, you know, on your commute. So maybe a podcast is what you want. Maybe videos are what we want, maybe you want interactive exercises. Maybe you just want one hour of pairing their programming with somebody who knows his stuff. So I would say spend time, invest time into finding the material that works for you. And then you think that it does wonder. So these are the two things that come to my mind. And this sort of answers the second question, how to learn more effectively in terms of my favorite book. There are many. I would say one of the good books has been like any book because I tend to read a lot of analytical philosophy. So Bertrand Russell is one of my favorite authors because you know he's very courageous in his writings, but is also very clear. So this combination that I found very nice. So. Amazing. I still have a lot of questions, but I think that we are already over time and we will be waiting for the next speaker or so, we will have to fight always right now. And that will connect with you in one on one discussion. for more questions and you can share how other people who are seeing this, can connect with you or any last messages that you would like to share with them. Yeah. So feel free to connect me on Twitter or email or whatever you want. I'm going to find the message that I would say. So I think we need to continuously learn because the technology that we have gotten used to is still continually changing. So should it be known that, OK, how BCB and then Google came out with this theory and then I'll quit protocol and I'll be able to verse can push messages to the clients? A lot of capabilities that we have gotten used to in the last 15 years are now changing. So like who knew that website work websites will support push notifications, you know? So continuous learning is the way to go. But also, I would say that if you get out and make those decisions, which benefit the user of the other reasons why we exist, why we get paid, and where we should be trying to make themselves as their life-size. That's right. Great, thanks a lot for this wonderful talk and see you later. Bye-bye.