1
0
Fork 0
forked from alemi/upub
upub/README.md

60 lines
2.9 KiB
Markdown
Raw Normal View History

# μpub
> micro social network, federated
μpub aims to be a private, lightweight, modular and **secure** [ActivityPub](https://www.w3.org/TR/activitypub/) server
2024-04-14 07:40:25 +02:00
μpub is currently being developed and can do most basic things, like posting notes, liking things, following others, deliveries and browsing
2024-03-27 04:03:08 +01:00
2024-04-14 07:40:25 +02:00
all interactions must happen with ActivityPub's client-server methods (basically POST your activities to your outbox), and there's a simple frontend
a test instance is _usually_ available at [feditest.alemi.dev](https://feditest.alemi.dev)
2024-04-14 07:40:25 +02:00
upub's stock frontend is also being developed and can be viewed _usually_ at [feditest.alemi.dev/web](https://feditest.alemi.dev/web)
## about security
most activitypub implementations don't really validate fetches: knowing an activity/object id will allow anyone to resolve it on most fedi software. this is of course unacceptable: "security through obscurity" just doesn't work
μpub correctly and rigorously implements and enforces access control on each object based on its addressing
most instances will have "authorized fetch" which kind of makes the issue less bad, but anyone can host an actor, have any server download their pubkey and then start fetching
μpub may be considered to have "authorized fetch" permanently on, except it depends on each post:
* all posts marked public (meaning, addressed to "https://www.w3.org/ns/activitystreams#Public"), will be fetchable without any authorization
* all posts not public will require explicit addressing and authentication: for example if post A is addressed to example.net/actor
* anonymous fetchers will receive 404 on GET /posts/A
* local users must authenticate and will be given said post only if it's addressed to them
* remote servers will be given access to all posts from any of their users once they have authenticated themselves (with http signing)
note that followers get expanded: addressing to example.net/actor/followers will address to anyone following actor that the server knows of, at that time
## progress
- [x] barebone actors
- [x] barebone activities and objects
2024-03-19 15:57:48 +01:00
- [x] activitystreams/activitypub compliance (well mostly)
2024-03-27 04:03:08 +01:00
- [x] process barebones feeds
- [x] process barebones inbox
- [x] process barebones outbox
2024-03-27 04:03:08 +01:00
- [x] http signatures
2024-04-12 20:05:30 +02:00
- [x] privacy, targets, scopes
2024-04-16 08:35:13 +02:00
- [x] simple web client
2024-04-14 16:49:48 +02:00
- [ ] announce (boosts)
- [ ] threads
- [ ] editing
- [ ] searching
- [ ] media
- [ ] user fields
2024-04-14 16:49:48 +02:00
- [ ] mastodon api
2024-04-08 03:00:11 +02:00
- [ ] hashtags, discovery
- [ ] polls
- [ ] lists
2024-04-08 03:00:11 +02:00
- [ ] more optimized database schema
## what about the name?
μpub, sometimes stylyzed `upub`, is pronounced `mu-pub` (the `μ` stands for [micro](https://en.wikipedia.org/wiki/International_System_of_Units#Prefixes))
## frontend
upub aims to be compatible with multiple frontends via the mastodon api, but a simple custom ui is also being worked on
![screenshot of upub simple frontend](https://cdn.alemi.dev/proj/upub/fe.png)