[twitter-dev] Re: Thoughts on annotations

[ssriram]

Hi,

It was a lot of fun and thanks to the Twitter folks for hosting it and
giving
us api access. Here are a few of my takeaways

1. The hashtag is dead http://bit.ly/ct8orP
2. custom annotation renderers and micro-html tweets are coming to a
client near you.
3. hello new world

S. Sriram
@565labs

[twitter-dev] Re: Thoughts on annotations

[Bess]

About Parking. Closest one near Twitter is Museum Parc Garage. It
closes at 11pm on Sat and 6pm on Sun.

There are other overnight parking but they charge $25-$32 for 12-24
hrs. Many parking options on 3rd Street between Harrison  Folsom Full
Day $8-10 on weekend. Some of them are outdoor so I don't think there
is issue on building being closed at night.

I am very surprise the parking situation near Twitter is better than
expected. Next time I would map other parking options so we can share
the info better on Tweet feed.

Museum Parc Garage
300 3rd St
(between Folsom St  Saint Francis Pl)
San Francisco, CA 94107
Neighborhood: SOMA
(415) 284-9553
www.museumparcgarage.com

Overnight Hotel Parking: $25.00 per night with In  Out Priveleges
Hours:
Mon-Fri 6 a.m. - 11 p.m.
Sat 8 a.m. - 11 p.m.

On May 31, 12:56 pm, zbowl...@gmail.com zbowl...@gmail.com wrote:
 I was still waking up and recovering from yesterday when I wrote this
 so forgive the typos, grammar, and mixing up attributes as
 annotations.

 I also wanted to mention that I'm glad that twitter didn't confuse
 annotations by using the term namespace or providing some kind of
 mechanism that goes that direction. I originally was wondering about
 conflicting but this method is better. Namespace gives developers a
 sense of ownership with the data stored in that annotation type. You
 can easily still easily namespace your types if you want (possibly in
 the reverse DNS format used in Java) but you can't prevent other
 developers from using them and that needs to be conveyed. If you need
 to strongly store annotation data, you can use signatures, hashes,
 version markers, or whatever in the annotation that you want to
 provide that, but it's up to the developer to what they want to fit
 their needs.

 Also wanted to playfully rant that parking overnight on the weekend
 near Twitter HQ sucks, especially when there is a baseball game. The
 closest garages all close at night on the weekends, so I ended up
 moving my car 3 times. Next time I'm taking BART and riding my
 bike. :-)

 Also

 On May 31, 11:39 am, Zac Bowling zbowl...@gmail.com wrote:

  This weekend's hackfest was at Twitter HQ was fun. About a couple dozen of 
  us stayed awake for about 30 hours and still had enough to energy to 
  present. Some pretty amazing things created and we helped identified a 
  bunch of bugs.

  Now that I've had a chance to go home and catch up on some sleep, here is a 
  brain dump of my thoughts.

  * One of the documented recommended types is place/location, but this data 
  is similar to what we store in the geo fields. I'm not sure what issues we 
  may run into privacy using it rather then storing the Geo fields (users can 
  enable/disable geo and remove geo data from all previous status updates).

  * We will always have twitter clients that will not understand or look even 
  look at our attributes. This means that we can't can't have annotations 
  that change the meaning of a tweet or make the meaning of the tweet 
  useless. This is basically graceful degradation, and not progressive 
  enhancement. We joked that want to see tweets that say: This tweet can 
  only be read in clients that support X annotations. Please upgrade your 
  twitter client or try X client..

  * You have to treat annotations as potentially hostile attack vectors.  As 
  was proved with some awesome cornfied and flashing unicorn injections this 
  weekend, any raw data can be store in annotations. Just because you stored 
  it there, anyone can do store any raw data and anyone can post tweets that 
  copy your annotation format. Twitter may sanitize javascript injections, 
  but it doesn't stop other types of injections from occurring if you don't 
  check. It's extremely important to validate, html encode, or whatever you 
  need to with the data stored in the annotations.

  As I did with my twitter remote shell execution example, I added my own 
  signature and noance of my own into the twitter annotation to validate the 
  sender had my secret. It may be one solution.

  * Attributes work at the time of creation because status updates are 
  immutable. This may be obvious to most, but its a limitation that hits you 
  a few times as you develop. Because of that we need to make sure that we 
  can get most of the clients, including Twitter.com, support the most 
  popular annotation formats. We can't fix update status updates after the 
  fact so we have to get it right.  (Adding annotations to new style retweets 
  is in theory possible)

  * Can't remind people enough to switch from twitter.com to api.twitter.com. 
   A bunch of little differences between the two that give you headaches. Our 
  board of wasted time at the hackfest summed it up pretty well.

  * A good number of us spent a good deal of time on just getting past OAuth 
  this weekend. We had a lot of people that understood the OAuth spec fairly 
  well thankfully and @jmhodges was there to help 

[twitter-dev] Re: Thoughts on annotations

[Mo]

Great update!  I don't feel so bad for missing the event now.

-Mo
@pay4tweet


On May 31, 11:39 am, Zac Bowling zbowl...@gmail.com wrote:
 This weekend's hackfest was at Twitter HQ was fun. About a couple dozen of us 
 stayed awake for about 30 hours and still had enough to energy to present. 
 Some pretty amazing things created and we helped identified a bunch of bugs.

 Now that I've had a chance to go home and catch up on some sleep, here is a 
 brain dump of my thoughts.

 * One of the documented recommended types is place/location, but this data is 
 similar to what we store in the geo fields. I'm not sure what issues we may 
 run into privacy using it rather then storing the Geo fields (users can 
 enable/disable geo and remove geo data from all previous status updates).

 * We will always have twitter clients that will not understand or look even 
 look at our attributes. This means that we can't can't have annotations that 
 change the meaning of a tweet or make the meaning of the tweet useless. This 
 is basically graceful degradation, and not progressive enhancement. We joked 
 that want to see tweets that say: This tweet can only be read in clients 
 that support X annotations. Please upgrade your twitter client or try X 
 client..

 * You have to treat annotations as potentially hostile attack vectors.  As 
 was proved with some awesome cornfied and flashing unicorn injections this 
 weekend, any raw data can be store in annotations. Just because you stored it 
 there, anyone can do store any raw data and anyone can post tweets that copy 
 your annotation format. Twitter may sanitize javascript injections, but it 
 doesn't stop other types of injections from occurring if you don't check. 
 It's extremely important to validate, html encode, or whatever you need to 
 with the data stored in the annotations.

 As I did with my twitter remote shell execution example, I added my own 
 signature and noance of my own into the twitter annotation to validate the 
 sender had my secret. It may be one solution.

 * Attributes work at the time of creation because status updates are 
 immutable. This may be obvious to most, but its a limitation that hits you a 
 few times as you develop. Because of that we need to make sure that we can 
 get most of the clients, including Twitter.com, support the most popular 
 annotation formats. We can't fix update status updates after the fact so we 
 have to get it right.  (Adding annotations to new style retweets is in theory 
 possible)

 * Can't remind people enough to switch from twitter.com to api.twitter.com.  
 A bunch of little differences between the two that give you headaches. Our 
 board of wasted time at the hackfest summed it up pretty well.

 * A good number of us spent a good deal of time on just getting past OAuth 
 this weekend. We had a lot of people that understood the OAuth spec fairly 
 well thankfully and @jmhodges was there to help (although not his area he 
 deals with in the code). Since you update twitter with POST, it's optional to 
 store the authentication data in the postdata instead of the authentication 
 header according to the spec, and some our libraries were doing just that, 
 but twitter only works with the Authentication header. We didn't know but 
 this was documented on the Wiki and had to learned from trial and error. A 
 bunch of us got caught up on using twitter.com instead of api.twitter.com. I 
 think we all worked through it at about midnight late saturday.

 In the end it was pretty awesome. I want to thank @jonashuckestein for the 
 the bookmarklet. It was awesome and saved us all time.

 http://jonashuckestein.github.com/Twitter.com-Annotations-Bookmarklet/(see my 
 stream with ithttp://twitpic.com/1st8sd)

 I won't cover the bugs. I'll leave twitter to document those if and when they 
 open up annotations to more developers.

 Thanks all!

 Zac Bowling
 @zbowling

[twitter-dev] Re: Thoughts on annotations

[themattharris]

Zak,

Thanks for coming along and sharing your thoughts and feedback with
everyone. We're all impressed with what you and other developers came
up with this weekend and for finding those bugs and gotchas. We're
taking that information on board and making the necessary changes to
protect the API and improve the documentation.

For those who are interested in knowing about the other projects
please visit the wiki page [1] for a list of them.

Matt

1. http://wiki.github.com/themattharris/annotations-hackfest/

On May 31, 12:56 pm, zbowl...@gmail.com zbowl...@gmail.com wrote:
 I was still waking up and recovering from yesterday when I wrote this
 so forgive the typos, grammar, and mixing up attributes as
 annotations.

 I also wanted to mention that I'm glad that twitter didn't confuse
 annotations by using the term namespace or providing some kind of
 mechanism that goes that direction. I originally was wondering about
 conflicting but this method is better. Namespace gives developers a
 sense of ownership with the data stored in that annotation type. You
 can easily still easily namespace your types if you want (possibly in
 the reverse DNS format used in Java) but you can't prevent other
 developers from using them and that needs to be conveyed. If you need
 to strongly store annotation data, you can use signatures, hashes,
 version markers, or whatever in the annotation that you want to
 provide that, but it's up to the developer to what they want to fit
 their needs.

 Also wanted to playfully rant that parking overnight on the weekend
 near Twitter HQ sucks, especially when there is a baseball game. The
 closest garages all close at night on the weekends, so I ended up
 moving my car 3 times. Next time I'm taking BART and riding my
 bike. :-)

 Also

 On May 31, 11:39 am, Zac Bowling zbowl...@gmail.com wrote:



  This weekend's hackfest was at Twitter HQ was fun. About a couple dozen of 
  us stayed awake for about 30 hours and still had enough to energy to 
  present. Some pretty amazing things created and we helped identified a 
  bunch of bugs.

  Now that I've had a chance to go home and catch up on some sleep, here is a 
  brain dump of my thoughts.

  * One of the documented recommended types is place/location, but this data 
  is similar to what we store in the geo fields. I'm not sure what issues we 
  may run into privacy using it rather then storing the Geo fields (users can 
  enable/disable geo and remove geo data from all previous status updates).

  * We will always have twitter clients that will not understand or look even 
  look at our attributes. This means that we can't can't have annotations 
  that change the meaning of a tweet or make the meaning of the tweet 
  useless. This is basically graceful degradation, and not progressive 
  enhancement. We joked that want to see tweets that say: This tweet can 
  only be read in clients that support X annotations. Please upgrade your 
  twitter client or try X client..

  * You have to treat annotations as potentially hostile attack vectors.  As 
  was proved with some awesome cornfied and flashing unicorn injections this 
  weekend, any raw data can be store in annotations. Just because you stored 
  it there, anyone can do store any raw data and anyone can post tweets that 
  copy your annotation format. Twitter may sanitize javascript injections, 
  but it doesn't stop other types of injections from occurring if you don't 
  check. It's extremely important to validate, html encode, or whatever you 
  need to with the data stored in the annotations.

  As I did with my twitter remote shell execution example, I added my own 
  signature and noance of my own into the twitter annotation to validate the 
  sender had my secret. It may be one solution.

  * Attributes work at the time of creation because status updates are 
  immutable. This may be obvious to most, but its a limitation that hits you 
  a few times as you develop. Because of that we need to make sure that we 
  can get most of the clients, including Twitter.com, support the most 
  popular annotation formats. We can't fix update status updates after the 
  fact so we have to get it right.  (Adding annotations to new style retweets 
  is in theory possible)

  * Can't remind people enough to switch from twitter.com to api.twitter.com. 
   A bunch of little differences between the two that give you headaches. Our 
  board of wasted time at the hackfest summed it up pretty well.

  * A good number of us spent a good deal of time on just getting past OAuth 
  this weekend. We had a lot of people that understood the OAuth spec fairly 
  well thankfully and @jmhodges was there to help (although not his area he 
  deals with in the code). Since you update twitter with POST, it's optional 
  to store the authentication data in the postdata instead of the 
  authentication header according to the spec, and some our libraries were 
  doing just that, but twitter only works with the 

[twitter-dev] Re: Thoughts on annotations

[zbowl...@gmail.com]

I was still waking up and recovering from yesterday when I wrote this
so forgive the typos, grammar, and mixing up attributes as
annotations.

I also wanted to mention that I'm glad that twitter didn't confuse
annotations by using the term namespace or providing some kind of
mechanism that goes that direction. I originally was wondering about
conflicting but this method is better. Namespace gives developers a
sense of ownership with the data stored in that annotation type. You
can easily still easily namespace your types if you want (possibly in
the reverse DNS format used in Java) but you can't prevent other
developers from using them and that needs to be conveyed. If you need
to strongly store annotation data, you can use signatures, hashes,
version markers, or whatever in the annotation that you want to
provide that, but it's up to the developer to what they want to fit
their needs.

Also wanted to playfully rant that parking overnight on the weekend
near Twitter HQ sucks, especially when there is a baseball game. The
closest garages all close at night on the weekends, so I ended up
moving my car 3 times. Next time I'm taking BART and riding my
bike. :-)

Also

On May 31, 11:39 am, Zac Bowling zbowl...@gmail.com wrote:
 This weekend's hackfest was at Twitter HQ was fun. About a couple dozen of us 
 stayed awake for about 30 hours and still had enough to energy to present. 
 Some pretty amazing things created and we helped identified a bunch of bugs.

 Now that I've had a chance to go home and catch up on some sleep, here is a 
 brain dump of my thoughts.

 * One of the documented recommended types is place/location, but this data is 
 similar to what we store in the geo fields. I'm not sure what issues we may 
 run into privacy using it rather then storing the Geo fields (users can 
 enable/disable geo and remove geo data from all previous status updates).

 * We will always have twitter clients that will not understand or look even 
 look at our attributes. This means that we can't can't have annotations that 
 change the meaning of a tweet or make the meaning of the tweet useless. This 
 is basically graceful degradation, and not progressive enhancement. We joked 
 that want to see tweets that say: This tweet can only be read in clients 
 that support X annotations. Please upgrade your twitter client or try X 
 client..

 * You have to treat annotations as potentially hostile attack vectors.  As 
 was proved with some awesome cornfied and flashing unicorn injections this 
 weekend, any raw data can be store in annotations. Just because you stored it 
 there, anyone can do store any raw data and anyone can post tweets that copy 
 your annotation format. Twitter may sanitize javascript injections, but it 
 doesn't stop other types of injections from occurring if you don't check. 
 It's extremely important to validate, html encode, or whatever you need to 
 with the data stored in the annotations.

 As I did with my twitter remote shell execution example, I added my own 
 signature and noance of my own into the twitter annotation to validate the 
 sender had my secret. It may be one solution.

 * Attributes work at the time of creation because status updates are 
 immutable. This may be obvious to most, but its a limitation that hits you a 
 few times as you develop. Because of that we need to make sure that we can 
 get most of the clients, including Twitter.com, support the most popular 
 annotation formats. We can't fix update status updates after the fact so we 
 have to get it right.  (Adding annotations to new style retweets is in theory 
 possible)

 * Can't remind people enough to switch from twitter.com to api.twitter.com.  
 A bunch of little differences between the two that give you headaches. Our 
 board of wasted time at the hackfest summed it up pretty well.

 * A good number of us spent a good deal of time on just getting past OAuth 
 this weekend. We had a lot of people that understood the OAuth spec fairly 
 well thankfully and @jmhodges was there to help (although not his area he 
 deals with in the code). Since you update twitter with POST, it's optional to 
 store the authentication data in the postdata instead of the authentication 
 header according to the spec, and some our libraries were doing just that, 
 but twitter only works with the Authentication header. We didn't know but 
 this was documented on the Wiki and had to learned from trial and error. A 
 bunch of us got caught up on using twitter.com instead of api.twitter.com. I 
 think we all worked through it at about midnight late saturday.

 In the end it was pretty awesome. I want to thank @jonashuckestein for the 
 the bookmarklet. It was awesome and saved us all time.

 http://jonashuckestein.github.com/Twitter.com-Annotations-Bookmarklet/(see my 
 stream with ithttp://twitpic.com/1st8sd)

 I won't cover the bugs. I'll leave twitter to document those if and when they 
 open up annotations to more developers.

 Thanks