Signaling that some collections are managed by the server

[trwnh]

There are special collections that are managed by server side-effects, such as followers following liked on actors and possibly replies, likes, shares on objects. In most cases, the side-effects are the only intended way of interacting with these collections; for example, a Follow results in an Accept Follow, which has the side effect of adding them to followers and them adding you to following; a Like has the side effect of you adding the object to liked and them adding your Like to likes; an Announce has the side effect of them adding the Announce to shares, and a small exception for replies which may be managed manually.

But there's nothing in ActivityPub explicitly preventing a user from targeting their followers/following with an Add/Remove. In the case of a Remove, you can say that there is a legitimate use-case for this; perhaps you no longer wish to follow or be followed by a certain actor. However, for Add, it's a bit weirder -- you can Add an actor to your followers despite never receiving a Follow from them. You can add an actor to your following despite never receiving an Accept Follow from them.

There is some language that can be interpreted along these lines, in 6.5 Follow

The Follow activity is used to subscribe to the activities of another actor. [...] The side effect of receiving this in an outbox is that the server SHOULD add the object to the actor's following Collection when and only if an Accept activity is subsequently received with this Follow activity as its object.

and in 6.6/6.7 for Add/Remove:

the server SHOULD add the object to the collection specified in the target property, unless: [...] the object is not allowed to be added to the target collection for some other reason, at the receiving server's discretion.

Taken together, we conclude that the logical iff regarding Accept Follow is the only way to add the other actor to your following. A C2S Add/Remove would not be allowed due to "discretion".

Given this: how do we signal server management instead of actor management of these collections? My initial leaning would be to exclude attributedTo from the representation of these collections; in the absence of any attribution, it is assumed that the collection is owned by the server running at that origin / domain / hostname. (For S2S follower removal, this would have to be a special case handled similarly to Reject Follow being sent at any time after an Accept Follow, but that's a separate topic.)

Perhaps this is more important for followers/following, but it is relevant to the other "special collections" too.

[evanp]

I wrote a document on the Primer on Server-Managed Collections, based on discussion during triage:

https://www.w3.org/wiki/ActivityPub/Primer/Server-Managed_Collections

In general, it agrees with your notes, that client software should not use Add, Remove to manage these collections. We also noted that they should not be manipulated with Update or Delete.

One case we discussed where this might make sense is for moderation of collections on an object that are initiated by someone who isn't the original author. Using a Remove activity to take an inappropriate or offensive reply out of the replies list is a good example, and does not have an equivalent in the rest of the AP spec.

I'm going to mark this as Pending closure.

[evanp]

This has been pending for a couple of months, so I'm marking it complete.

[nightpool]

If we're considering editorial changes to the AP spec, it might be nice to clarify this explicitly.

On Wed, Oct 4, 2023 at 12:34 PM Evan Prodromou @.***> wrote:

Closed #377 https://github.com/w3c/activitypub/issues/377 as completed.

— Reply to this email directly, view it on GitHub https://github.com/w3c/activitypub/issues/377#event-10553427144, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABZCV5HDSLY7WAMI3KH6ITX5WFYRAVCNFSM6AAAAAAZOKTYY2VHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJQGU2TGNBSG4YTINA . You are receiving this because you are subscribed to this thread.Message ID: @.***>