terraform
terraform copied to clipboard
hashicorp
ephemeral: support write-only attributes
This PR aims on building baseline support for write-only attributes, so attributes that can be set to ephemeral values and can not be read / referenced. These attributes are hidden from the state.
Fixes TF-18617
Target Release
1.11.x
Draft CHANGELOG entry
NEW FEATURES
- Ephemeral Values: support for write-only attributes, so attributes that can be set to ephemeral values and can not be read / referenced. These attributes are hidden from the state and plan files.
Actually, it looks like the did:plc specification already supports multiple aliases
alsoKnownAs(array of strings): should include anat://URI indicating a handle (hostname) for the account. Note that the handle/DID mapping needs to be validated bi-directionally (via handle resolution), and needs to be re-verified periodically
So maybe this issue needs to be opened on the PDS project instead?
Hi @seanthegeek!
Indeed, flexibility around DID/handle mappings, and the ability to retain (or at least "freeze") old *.bsky.social handles when changing to a custom domain handle, have been frequent requests and on our planning list for a long time now. One of many important areas to improve on.
One simple feature would be the ability for accounts on Bluesky PDS instances to reserve one *.bsky.social handle when they configure a custom domain handle. This would remove a lot of anxiety and impersonation issues around that configuration change, even if the reserved handle is not functional.
Another mitigation would be to "freeze" handles for some time period after a transition (unless transferring back to the original account). For example, a few days "cool down" period. This would reduce rapid-follow impersonation and handle "stealing".
Having multiple handles registered in the DID document alsoKnownAs list is more fraught. There are some strong arguments for (eg, validation of multiple affiliations), and arguments against (user confusion of having multiple names at the same time, need to frequently verify an arbitrary number of domains, etc). Whatever we end up deciding on for handles, we intend to allow bi-directional account verification in other ways as well, such as linking a Matrix account or ActivityPub account to an atproto identity.
For now I would point folks to the existing mitigations and work-arounds. These are fairly high-priority changes, which would save us a ton of time doing support requests and dealing with impersonation cases, but they also require updates to the core identity system, and we have a lot going on right now.
Hmmm. great points. Perhaps of a variation of the first option mentioned would be best. Reserve a *.bsky.social` handle when switching to a domain handle, except allow that handle to only be functional as a redirect to the verified handle when looking up profiles directly (not as mentions, for example). Sort of like Wikipedia's "redirected from" pages. That way it can't be impersonated, and it's easy for newcomers to find the people they want to find based on that person's common username on other platforms like X and GitHub. Personally, I'm against multiple fully functional handles because of the complexity and confusion issues you mentioned.
I also want to thank you and the rest of the Bluesky team for all of the work you have done to build this amazing platform and scaling up to handle a massive wave of newcomers amid the mass migration from X. I can't imagine the development, operational, and moderation workloads.