I would like to see more folks, especially WordPress, support OpenID.

This is not a trust system. Trust requires identity first.

Exactly.

One the advice of Boss Mullenweg, I’m going to give the Kramer plugin a try … we’ll see who wins: Kramer, or the lamers who don’t use pingback and trackback.

Most of the blognoscenti may well say that TrackBack is dead, but … just now, I realized that I hadn’t done proper linking between two entries, and so I sent a TB from an old entry to a new one. I thought about going in and editing the comment timestamp, and … I found that WordPress has implemented my old suggestion that TBs should be sent with the timestamp of when the source entry was posted, not when the target entry received the TB. Totally cool to me here at 0515. [Of course, just like most anything's funny in the middle of the night, most anything is cool to me first thing in the morning.]

WordPress 1.5.2 is out. I just did the upgrade here in … 30 seconds. I’m hoping to have a spare hour tomorrow to do the rest of my upgrades.

Owen Winkler has a writeup, in English, of the changes. The biggest feature update, to my eyes, is the improved comment feeds, which now have entry metadata in them to let you know, as you peruse aggregated comments, on what entries the comments were posted.

I’m greatly amused … Kari commented enough here in the last half-hour or so that she triggered Spam Karma 2’s comment spam flood bit.

I had to go in and manually approve her to keep commenting. Kari, you should now be able to comment here, and not just in your heart.

I love how I’ve hardly gone any length of time without support. This has been pretty doggone awesome.

So, once the user has made choices about what they want their custom feed to be—and this would just be data stored in the database—you’ve got to let WordPress know who the user is when they poll the feed. As I see if, you have two options:

1. Use HTTP 401 Authentication with their username and password.
2. Generate a random key for the user, stored in the wp_users table and generated for the sole purpose of authentication, which is displayed to the user inside the WordPress admin.

401 Authentication seems like an obvious approach. The URL would end up looking like so:

http://username:password@ijsm.org/feed/

Of course, the problem with 401 in this regard is security. For one, you’re almost certainly sending this data unencrypted in an HTTP GET request. Anyone packet-sniffing on your side or the server’s can have your password. It’s a security hole, but the level of damage that could be done is only limited to the user’s capabilities. [It'd be far worse to have my admin account hacked than it would be for just any random user, since someone with my admin password can wreak all kinds of havoc.]

401 Authentication also doesn’t have universal support amongst aggregators. I’m sure that this won’t be an issue in another year, but it is an issue now for some users, and it would suck to put this functionality out there and have some users not be able to use it.

Key generation isn’t a security issue—the key would only be for this purpose—but it is still extra data that the user has to keep up with. Key generation is how John Gruber used to do his members-only feeds on Daring Fireball, so I’m totally stealing the idea from him on that score.

I think that, from a security standpoint, I prefer the key generation, but in the long run, it’s another piece of data that has to be handled by WordPress, and I hate to generate extra data when it might not be necessary. But in my present state of wakefulness and awareness, it seems like the best answer to me.

I have some other random thoughts about how WordPress could do some other cool things with aggregation of data for user-specific feeds, but … I feel this entire entry losing focus as I type. [It didn't help that I got a phone call in the middle of it, either.]

How have I gotten almost 13 hours into the Blogathon without posting about WordPress?

Oh yeah, I was saving posts like these for the harder times. [Yes, the sound you just heard was me beginning to grasp at straws.]

I’ve been thinking a lot lately about user-specific RSS feeds for WordPress. With user registration now being a viable part of the WordPress system—because users != weblog authors—-I think that we have the capacity to improve users’ experience with WordPress.

I think that a user should be able to decide what all categories of feeds they want to see. For example, if a user of IJSM didn’t want to see all my Blogathon 2005 blather—and frankly, I’m not sure that I blame them—they could vote to not see all those posts.

Of course, that’s a complex process, because you really have two options to present to the user:

1. Do not present items marked only in this category.
2. Do not present any items marked with this category.

Many of my posts today have had multiple categories. Everything’s been in Blogathon 2005, but I’ve touched on a number of other subjects that people might be, presumably, interested in seeing.

With any number of posts, there’s going to be overlap between categories. There will, in these cases, be overlapping areas if you marked these up with a Venn diagram. [If you think this entire post is an excuse for me to say something about Venn diagrams, well ... you're almost right. I do take this suggestion seriously.]

Some folks will want to block out everything. An example not related to the Blogathon? Perhaps someone doesn’t want to hear a word I have to say about politics or religion. [Fair enough!] They’d want exclusive bans anytime I posted on that subject. But they might not want an exclusive ban on any posts categorized as geekery. I mean, maybe they’re not into the geeky things I talk about, but sometimes, I add geekery in for an extra bit of fun. [Fun for me, that is!]

I’ll explore implementations of aggregation of user-specific RSS feeds later on …

I’ve been putting off upgrading all the local WordPress installations, and other than brief breaks for food, showering, and laundry, I’ve done nothing but upgrade WordPress installations for the last 12-plus hours. The sad thing is, I’ve still got about 15% of what’s left on the box to upgrade.

To be fair, it’s not a straight WP upgrade. I have a blend of plugins that I like to use, a way of keeping WP installs neat and orderly that I like, and also some general cruft cleanup that I’m doing with this. I also had found a couple installs that had egregiously escaped upgrade for a couple cycles now.

I thought I’d be done by 5:00 p.m. or so tonight. Then I thought I’d be done by dark. Now, I’m just going to quit before midnight and pick up tomorrow. I could go for a while longer, but I better not do that.

I’ve noticed that, over the last couple of weeks, I’ve caught comment spam outbreaks before they start by watching the same spammers try to hit my referral logs. I use Referrer Karma to keep my referral logs from becoming spam pits, which saves me from having to remove things manually. I’ve been finding, though, that I can seed my spam blacklist with just the base domain.tld being spammed, to good effect. I can additionally seed Spam Karma 2’s IP blacklist with the IPs used to attempt referral spamming, which helps matters as well.

I guess that my advice is to watch referral logs and see what URLs are being spammed today—with my sites, those are the URLs that’ll be attempting comment spam come tomorrow.

I’m changing some philosophy in how I handle comment spam: I’m going to largely avoid keyword-based filtering in the default WordPress moderation keyword list, and go to only a blacklist based upon domain names. I’ll test it for a week or so and see how successful it is.

Understand that I’ll also be using things like Spam Karma 2 and Bad Behavior and stuff that generally keeps the ol’ comment box from becoming the biggest trash bin you’ve ever seen—those filter out the people who’re doing automated hose-ups. But if I can keep a handle on the domains that are spamming me, I should be fine.

Why am I taking this approach? I fully understand that what they’re wanting to spam is their URL—for links. So, if I blacklist domains for spamming me, I’ve ended their reign permanently. Can they move to a new domain? Sure. But I don’t want to harm legitimate commentors who might use some of those keywords.

We’ll see how this goes…

Tim Bray is hosting a wiki comparing RSS 2.0 and Atom 1.0. As Tim notes, Atom 1.0 is essentially done. I’m sure that, as the world catches up to Atom 1.0 being done, the wiki will be fleshed out by Tim, Sam Ruby, Paul Hoffman, and Rob Sayre.

I’m glad to see a robust syndication mechanism being put out there for all to use and parse. I’m hopeful that WP 1.6 will support Atom 1.0, but I don’t know what their release schedule is and how steep the path is from Atom 0.3 to 1.0.

Let me know if I broke anything … now that I’m home, I’ve upgraded to WordPress 1.5.1.3 [oi, the versioning structure is ... ugly]. I also upgraded my entire plugin set.

Now, it’s time for me to put together another install package. [Yes, I know, I should be using Subversion. I haven't taken the time to get SVN working on my box. :yawn:]

I just deleted a ton of WordPress XML-RPC scripts because I’m headed out of town and don’t have time to do another upgrade. I’ll work with everyone here on the box to do upgrades when I get back home and all that good stuff.

Seems that Martey Doodoo has a problem with the unintended consequences of unforseen, untested cases … and thinking on it, I wonder if WP’s pretty TrackBack urls would fail is you had a post slug of “trackback”. :chuckle:

In all seriousness, this is definitely a job for a completionist, preferably a completionist free electron. Not that I’m acquainted with any. :cough:

[I am so dead. And it's all Alex's fault for sending me this link via IM.]

On a lark, I found that Scott Buchanan’s TrackBack Spam Blocker has been updated to version 1.1.0. I’ve been using it for some time, and it’s been beneficial.