As someone who has only immersed myself in ActivityPub specs and source code for two months, I can start to see the basic common outlines of what AP servers do, and why therefore there is such a thing as the Fediverse. But it’s becoming more and more clear that AP is a garden with so many different flowers in it, each one with its own scents and colors.
I guess at the outset (back in 2016-17) the few applications then attempted to include a FEDERATION.md file explaining which activities each would support, any extensions to the AS vocabulary each would add, and some other details. I was only able to find three of these, for Zap, Tavern, and Mastodon. I guess current implementers don’t feel the need for it. But there is useful information in there. In Zap’s FEDERATION, for example:
The Zot permission system has years of historical use and is different than and the reverse of the typical ActivityPub project. We consider ‘Follow’ to be an anti-pattern which encourages pseudo anonymous stalking. A Follow activity by an actor on this project typically means the actor on this project will send activities to the recipient. It may also confer other permissions. Accept/Follow usually provides permission to receive content from the referenced actor, depending on their privacy settings.
It’s hard for someone new attempting to implement a server to figure out if there are any very commonly used assumptions about addressing, which core activities you really should support and which are not that important, etc.
Without having to dig through the source code of 5 to 10 of the biggest servers, I have a lot of questions about privacy and distribution. I have looked through FEPs and read some of the discussions here about the various ways to implement true “direct messages” and I guess some standards are becoming clearer there. But I guess the Fediverse will always be a place where each server can do what it wants (with the result being varying degrees of interoperability).
It seems to me that a user’s expectation of a level of privacy needs to be a global concern. So here’s one example of a question I don’t find trivial (maybe the answer is obvious): Do most servers implement the filtering of items in standard collections (“Outbox”, “Liked”, “Shares”) based on the contained objects’ “to”, etc, addresses, or are these in general considered public? The spec says these collections
MAY be filtered on privileges of an authenticated user or as appropriate when no authentication is given.