# SolidOS Team Meeting * Date: 06.28.2023 18:00 (UTC+2) * Call: [https://meet.jit.si/solid-operating-system](https://meet.jit.si/solid-operating-system) * [Previous meeting link]() * [Next meeting link]() * Chat: [https://gitter.im/solidos/solidos](https://gitter.im/solidos/solidos) * Repository: [https://github.com/solidos/solidos](https://github.com/solidos/solidos) * Meetings home: [https://solidos.solidcommunity.net/public/SolidOS%20team%20meetings/](https://solidos.solidcommunity.net/public/SolidOS%20team%20meetings/) ---- ## Present attendees * Angelo, Timea, Jeff, Rahul, Noel, Tim ### Scribes * Timea, Noel --- ## Topics ### Round Table #### Angelo * nothing to share #### Jeff * released solid web components - https://github.com/SolidOS/solid-web-components * needs help with sanitizing HTML but not the components themselves - if anyone knows anythig about it and can help. #### Rahul * released a new spec - new proposal for notifications - 0 round-trip notification protocol. * URL: https://github.com/CxRes/per-resource-events/ * would love some feedback on it. #### Timea * nothing to share #### Noel * working on my framework [AerogelJS](https://aerogel.js.org) * next week will be last time until September - will be on a work and travel situation over in Japan. * once I have the framework I can showcase it. Soukai is only the data layer, the framework is to make UI. It will extract the commonalities (common patterns) from all the apps I coded. * Angelo: is it a Vue specific framework? * Noel: yes. Vue, Tailwind CSS and Soukai are the pillars. Everything else is optional. * Using this will be very easy to simply make a new Umai, Solid app. Soukai helps not to need to know much about Solid. Lets see how it turns out. #### Tim * 3 days at the DWeb camp. It was brilliant. Jackson joined too. and we did a Solid talk together "This is where we are". We showcased some Apps. * IPFS and systems on distributed file systems and blockchain was the initial of DWeb camp. But now there was less Blockchain. Which is good. * Very packed, many many parallel sessions. Intense. Also artist and phylosophers and policy experts not jsut geeks. * The Matrix founder gave a talk. I talked directly about our problems. Talking about using URIs for user accounts. ;) * It would be good to connect more with them. Matrix users could benefit from having a Pod. We havea. lot of commonalities. * Braid is the standard for CRDTs and local first. HTTP is almost what you want. 5 more headers and you have a CRDT compatible system. https://braid.org/ * There was a gouvernance meeting about open collective, which manages groups like this: collective expense management for example. Those would be cool to run on Solid, and could eb a tool we use. * Hollochain is not Blockchain. They appologized for the 'chain' in it. It is good to keep an eye on them. We had a day offline, they cut the net. So I did not get local domain name working. People helped me to get it working. * We should have a Matrix & Solid chat to overlap communication. * Solid World was just now and it made a good case for Solid. We could maybe invite DWeb to talk at Solid World too. * There wer a lot of people and it was hard to keep track of them all :) * Next time we should be more prepared: a Solid running server and run an App to run teh conference on it. Now they used SHED which can be used for scheduling the conference and also the unconference style sessions. ### Main topics * no updates ### Technical topics #### HTML Sanitizing (Jeff) - Jeff: I want to build a componetized SolidOS to use different parts. We can than on the fly create website parts. That means it should import components. Example: load a SPARQL query and add it to HTML based on a particular variable. Later in your HTML you say 'include this component' and include only people. To include that into another file, this needs sanitizing. Simple, like banner including is already sanitized. For a plain HTML and markdown you can sanitize it. * But a web component is a custom HTML so there is not generic way to sanitize it. If you are importing random HTML - it gets sanitized but if you import a component you are responsible for it. Is this the right approach? * Tim: we have this on SolidOS. It is a serious security issue. It is hard. You have to use a system to sanitize. The forms that we have do not have rich text. Matrix has rich text (either text or HTML version). Gotter had also both. The default was, if it did not want to process the HTML it would just give you the text. It is good practice to use hyperlinks. This means we use HTML that people will create. * Noel: In UMAI you can write markdown and it works. Not sure about HTML conversion. If it is automated it can be it is not 100% the same afterwards. * Tim: when you edit it again it should be again markdown. * Noel: You can't always translate it backwards because markdown is a superset of HTML (so you don't know what was originally HTML or has been converted from markdown). In any case, I agree any user content should be sanitized. I think Jeff's web components it should be that: if you use one you need to trust the source of where you are getting it. For wordpress for example: there are plugins with ratings, you install it from a trusted source. In this case, you cannot limit them. * Rahul: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API * Jeff: the link that Rahul pasted - it is possible but you need ot specify every single tag that needs to get sanitized. This will restrict the usability of Web Components than. I eed to reserarch this how it is donw with other components. * Jeff: how I do it now: I always write it sanitized - markdown is converted to HTML only after it is sanitized. * Noel: in case of wordpress it is centralized where the components are. In Solid there is no appstore. * Tim: it should be digitaly signed by creator and that list of creators is known by us. For when we have a App Store. * Angelo: this is in general the case - if I install anything from the web or npm we need to trust it. * Jeff: the additional layer here is about trusting web component publishers. But in my future, devs will build on top of existing components and make theor own than. It is not just going and getting the software, where are they stored and pulled in? * Angelo: it is still exactly what is in place now with supplying libs eve. * Timea: before getting stuck with the big task of creating an infrastructure for trusting web components we can just say for now that people using the web components must trust the owner and they have to decide on their own. * Noel: Something interesting to look at is [deno](https://deno.com/) (the new project by the creator of node). Something they do is that when you import a dependency, you do it by writing a url (instead of a package name in a centralized dependency, like it happens with node which uses npm). #### Others * Timea: Inrupt released learning videos https://www.inrupt.com/videos * Noel: is there a way to comment? It would be useful to have that. #### Inrupt videos https://www.inrupt.com/videos --- This template is based on the [W3C meeting template](https://github.com/solid/specification/blob/main/meetings/template.md) [Code of conduct](https://github.com/solid/process/blob/main/code-of-conduct.md)