wesbiggs
commented
1 year ago I have a vague recollection that this was done intentionally to allow reposts but I'm not certain. I do wonder how reposts would work now.
I wasn't here for those prior discussions but my opinion is that reposting should be explicit, not implied, and that we'd want a new announcement type that allowed this with a reference to the original announcement by its DSNP Content URL (like inReplyTo for Reply/Reaction) rather than linking to the external Activity Content directly.
The other option is that instead of saying that announcing with a URL pointing to someone else's Note is invalid, we say that it should be treated as if it was a repost in that case. This works if there is an actor field on the Note (i.e. you can know whose content is being reposted) but would require readers/applications to keep a reverse lookup table from the Note URL to its Announcement in order to authenticate the original actor.
wilwade
Problem
In the current spec it is possible for a user to announce (Broadcast, Reply, Profile) an Activity Content document that another user created and thereby claim it as their own. We have content authentication (contents of URL must match the hash) but not content provenance (user who claims to have originated the content must match the sender of the Announcement).
Link to GitHub Issue(s): https://github.com/LibertyDSNP/spec/issues/253 has further background.
Solution
We include the
actorkey (loosely defined in the Activity Content 2.0 specification) in the DSNP Activity Content specification, and define it as representing a DSNP User if it contains a DSNP User URI. By denormalizing in this way we enable readers to verify the linkage betweensenderIdandactor.Change summary:
actorto Note and Profile Activity Content objectsSteps to Verify: