FEP-400e: Publicly-appendable ActivityPub collections

The following FEP was proposed by @grishka and received on 2021-02-12:

FEP-400e: Publicly-appendable ActivityPub collections


In social media, it’s a frequent pattern when there’s a collection owned by someone that other people can contribute to. Examples include:

  • Walls where others can post
  • Forums as well as topics within
  • Photo albums in groups where group members can add photos

Currently, there is no generic way to signify that an object was created as part of a collection and should only be considered in its context.

This proposal describes how ActivityPub servers and clients could specify collections to which objects created by their actors belong.

We ask all ActivityPub developers to which this is relevant to carefully read the specification text and provide your feedback!

To readers of this topic, please note FYI that in Groups implementation - #70 by macgirvin and onwards @macgirvin and @grishka are discussing subjects that are related to this FEP.

(@how maybe you can reassign this topic to @grishka as he is the one assigned to the FEP)


I applaud @macgirvin’s objective to align with the FEP and provide feedback on it, just like I applaud @grishka having taken the time and effort to write it. An opportunity to see the FEP process (which had stalled somewhat) in action. In that light I suggest having discussion here, so that we practice, familiarize ourselves with, and are able to refine the process. Maybe a relevant summary might be added below?

@grishka FYI I just re-read a post on Feneas forum by @fr33domlover which appears to be describing a publicly-appendable AP collection mechanism:

Yes, when I said that such a pattern is needed in all kinds of social applications, I meant it :smirk:

Though now that @macgirvin has pointed out some security/trust issues with this FEP as it is, it needs some more work before it could be widely implemented.

Uhm, not sure where that came from, but I have no security/trust issues with the FEP as is, and have implemented it as described in the FEP pursuant to the clarifications that were provided. I’m happy with it, it works with our trust model, and currently allows us to post to any (*) existing groups implementation in the fediverse with a single carefully-crafted activity. I wouldn’t recommend changing it; because that might destroy this accidental but amazing opportunity for groups compatibility.

But I’ll leave the decision to you.

(*) Except Mobilizon which I believe only allows selected local logins to initiate topics.

It’s not as much about security as it is about the abuse potential.

Suppose someone was spamming a group with wall posts. Group admins blocked either them or their entire instance. But then that person started sending Create{Note}'s directly to group participants that are on instances other than the group — and, because their instances have no idea what is blocked by the group actor, those activities go through just fine, and the posts appear on the wall, with group admins having no sensible recourse. Yes, they could delete them, that would work. But that’d be a poor workaround for a problem that could be avoided entirely. Using Add{Note} would also not require the support for LD-signatures, thus lowering the barrier to entry.

I’ll investigate but I’m pretty certain that exploit wouldn’t work here. Our relationship and permissions aren’t with the actor but with the sender.

Anyway do what you need to do. When we connect with a group we send follow/group as well as join/group in the absence of any guidance to the contrary. Messy but necessary. Was just trying to avoid sending two activities for every group post as well when we don’t know the group architecture. Perhaps that can still be accomplished.

So how would new wall posts be propagated to group members then? What would happen if a user on instance A sends a wall post to a group on instance B, how would that post reach another user on instance C? Some form of forwarding needs to happen anyway, be it forwarding the original (LD-signed) Create{Note} or, as I’m now suggesting, an Add{Note} generated by the group actor.

Again, these are not issues our implementation is concerned with because our architecture transcends ActivityPub. Most of the issues we are currently working on have analogies and solutions in the history/evolution of email protocols, which I was intimately involved in for a number of decades. We don’t have all the problems you might think we do because we are able to draw on this wealth of messaging experience as well as lessons learned trying to federate over the complexities and limitations and hard-wired policy assumptions of earlier fediverse protocols.

I don’t wish to be drawn into another debate about petty platform differences. Those aren’t relevant to the discussion. We’re discussing FEP-400e. I’ve provided feedback and have nothing more to add.

I’m asking all this because I’m seriously thinking about updating the FEP with it. Acknowledgements such as Add{Note} are important as an integral part of the flow in the same sense that activities such as Follow require an acknowledgement in the form of an Accept{Follow} and thus can’t be considered in isolation from this requirement.

Can you ignore them on receipt and unconditionally generate them for any incoming wall posts? Absolutely. But it’s nice to have this feedback mechanism specified in case it’s needed. After all, a publicly-appendable collection is a deliberately generic construct, so there might be cases where someone would manually approve the addition of new items to a collection for example. In the same sense that I send an Accept{Follow} unconditionally, but Mastodon has a setting that allows the user to manually review and approve follow requests.

The “query whether a collection contains an element” should indeed be a separate FEP and as of now I have no idea how to best approach that. This kind of interaction sort of falls outside of the whole ActivityPub paradigm with its actors and objects.

I’ve submitted a pull request to update the FEP.

1 Like

I see a number of issues arising because Create/Note/Collection simply isn’t going to be on the radar of projects implementing simple microblogs. I believe most existing projects today will simply publish it (subject to addressing). They aren’t even thinking of targets and will likely just post it as a Create/Note activity.

I think that Offer/Note/Collection would make a much better construct in this case because it implies the presence of a target and is therefore much less likely to be mis-handled or accidentally published by the wrong entity. This also has a beneficial aspect - it gives the recipient an opportunity to Accept or Reject it, although I probably wouldn’t make that a hard requirement (we typically don’t waste resources responding to spammers). Acceptance could be implied if the note ends up in the collection and is re-delivered to that collection’s audience.

But you aren’t meant to send this activity to servers that don’t understand it (i.e. don’t have the wall collection). To post on someone’s wall, you don’t send that Create{Note} to your followers like you normally would, you instead send it to the wall owner’s server only. It then sends Add{Note} to the wall owner’s followers. Mastodon doesn’t know what to make of it and simply ignores it, I tested.

Understood, I thought it might avoid issues down the road by requesting acceptance from the collection rather than implying it, as this makes more sense for human moderated collections and would be more difficult to add in later, rather than building in that ability from the beginning. No worry.

It’s not implied, that’s literally what I’ve written in the updated FEP :wink:

It’s a SHOULD even.

So we might support it outbound, but I can’t use it inbound, as we have human moderation mechanisms to integrate and the FEP doesn’t really provide for delayed decisions - beyond moving a post after it’s already caused damage and once the moderators wake up. Again, no worry.

What lead you to this conclusion? It absolutely does. You can delay the Add as much as you want, there’s no requirement that it’s sent instantly, and you can totally send a Delete or a Reject instead.

Indeed it appears that it does.

  • If the object could not be added to the collection, for example due to the privacy settings configured by its owner, the server SHOULD either respond with 403 Unauthorized or respond with 200 OK and later send a Reject{Create} activity to the originating server.