cover photo

Hubzilla Development

!Hubzilla Development I upgraded to the new release candidate, but I have two issues:
  • Where are the tabs to sort and filter the network/grid timeline (incl starred items)? I see the Activity Filters widget, but that one has not those functions. Is this a regression?
  • When I edit a post after publishing, the bbcode text is compressed and therefore difficult to edit.

!Hubzilla Development
Looks like Nextcloud is getting ready for a new ActivityPub sharing feature in the next version (v14):

Might be cool if HubZilla could play along from the beginning :)

Although... I guess federated file-sharing would need some fixing too, as right now I am not able to share a file to a HubZilla webfinger address from withing Nextcloud either.
In fact, maybe an plugin to add OpenCloudMesh API compatibility would be the best? See:

King Emir#
Maybe it's time to start an offensive campaign for #zot on different pertinent media channels, to increase the awareness of it. Please consider this post as an initiative of a brainstorming. It's addressing those who know most about the communication protocols, and I'm unfortunately not one of them (yet).

What could be the content of the publicity campaign for zot?
Maybe the zot-relevant part of the interview by Sean Tilley with Mike, which could be summarized and added with a comarison chart of the different existing protocols?

What do you think about:

I'm not technique affine, so I don't know which are the IT and FLOSS relevant channels, but maybe

It seems again another protocol for a #decentralized network appeared, called #LBRY ( It doesn't seem so interesting to me, but I mention it anyway.

!Hubzilla Development !Free / Libre Open Source Softwares
M. Dent
Some good thoughts!  I set up a @Hubzilla Advocacy forum a while ago as another place to discuss these things.  Right now our biggest advocates are the techies who are also devs. It'd be great to divide the labor a bit and those who may not be best suited as devs can do advocacy work.

I really like your detailed hit list. Very concrete and something specific that people could pick up and work on!
Max Kostikov
I have plans on large article in russian about #Hubzilla and #Zot protocol as its part.

Max Kostikov
It seems I found the reason why I do not get fresh publications from @Hubzilla Development forum.


Max Kostikov
 Königsberg, Russia,  last edited: Thu, 19 Jul 2018 09:37:47 -0400  
!Hubzilla Development !Hubzilla Support Forum
I trying to find a painless way how to add new strings translations for new version of #{}.
In new 3.6RC some strings were changed and now Hubzilla interface have incomplete translation.
According utils README (thanks, Mario!) procedure should looks like:
1. to create empty with only english text file hmessages.po and modifiy its headers for current languge;
2. to import old translations into hmessages.po from hstrings.php using util/php2po.php tools;
3. to translate new or replaced strings in merged into hmessages.po;
4. to dump full translation in hstrings.php using util/po2php.php tool.

I'm stuck on 2 because of util/php2po.php error.

root@beta:/usr/local/www/ # php util/php2po.php view/ru/hstrings.php

Fatal error: Uncaught Error: Class 'App' not found in /usr/local/www/
Stack trace:
#0 /usr/local/www/ include_once()
#1 {main}
  thrown in /usr/local/www/ on line 7

I will be appreciate to any involved in Hubzilla #{} work for any advice how can I resolve this issue and provide updated translation for community.
  • First you should update the translation at
  • When translation is at 100% and you (or even better: others) are satisfied with it, you can download the relevant .po file from Transifex (click on language > view results > file (probably hmessages.po) > download for use)
  • Upload hmessages.po it to your Hubzilla translation to in your case view/ru/hmessages.po
  • Make sure you are in the root of your Hubzilla installation (e.g. /var/www/hubzilla) and type:
php util/po2php.php view/ru/hmessages.po

The file view/ru/hstrings.php should now be recreated.
Max Kostikov
  last edited: Thu, 19 Jul 2018 15:02:11 -0400  
Thanks, I know and did it before but now I need something opposite.
In Transifex we already have almost complete (enough translated) hmessages.po for 3.4. Also we have hstrings.php made from this file using described procedure.
In 3.6 some strings were changed, some deleted and some new were added. I want to save already translated part and merge it with new strings in Hubzilla so I need to find a way to import translated strings from 3.4 hstrings.php into 3.6 hmessages.po to translate new or changed strings.
I believe util/php2po.php should do it.
Mario Vavti
This is a test
This I can see. I think the issue is with the announcement channel.
Test Channel ?
I think the issue is with the announcement channel


!Hubzilla Development
I noticed a strange thing when interacting via a Mastodon instance:
Somehow where I have an embedded content in my Hubzilla instance, the retooted post on Mastodon has a "embedded content" text which is a bit confusing to Mastodon users as it is really only text.
I though the embedded plugin was a purely client side feature to show links and would not effect what is posted and federated to other instances?

Mario Vavti
  last edited: Wed, 18 Jul 2018 06:38:57 -0400  
If you installed Hubzilla via git and running master branch, you are only a git checkout 3.6RC away from the next major Hubzilla release. Make sure to also git checkout 3.6RC the addons if you decide to join the RC testing.

If you have not pointed your git repos to the new Hubzilla source code location yet, please do so ASAP. Have a look at this post to see how to do it.

You are welcome to provide feedback in form of bugreports or pull requests on issues you might find. Also testing of addons/plugins is highly appreciated.

You can follow the progress of RC testing in this wiki. Please PM me for wiki write-access if desired.

For the changelog please have a look at the git history for now.
A condensed summary will follow with the version 3.6 release announcement.

Happy testing!

!Hubzilla Announcements !Hubzilla Development
Max Kostikov
I still doesn't see my comments in Hubzilla Announcements.
Mario Vavti
  last edited: Sat, 21 Jul 2018 17:06:20 -0400  
Was very confused where the left-hand forums shortcuts went after updating. Maybe a new link in the "new members hints" section how to configure the activity filters to allow filtering for forums would help?
Otherwise everything seems to work fine over here.

Max Kostikov
 Königsberg, Russia,  
!Hubzilla Development
In russian FreeBSD chat in Telegram messenger appeared quite interesting idea about ability to subscribe on posts by tags. I'm don't sure is some Fediverse software have this feature or do not but I think it would be great to have this feature in Hubzilla.
Mike Macgirvin
Hubzilla uses Diaspora tag relays to subscribe to tags from that network, and there is current development in Friendica to allow any federated site to be a tag relay. You'd be welcome to implement this, preferably as an addon since it presents a number of scalability issues.

M. Dent
@Mario Vavti

I saw the "remove item" stuff.  Looks good!  There is a means to "update" items that are in the cart  - with deletion happening when an item is updated to quantity 0.  But I can see some utility to deleting all instances of a SKU as well.  I didn't examine it fully, but I got the sense of what you have.  Given "how things work now," it's a reasonable approach.

Just a few things to keep in mind, though:

There are some instances where deleting all instances of a SKU in an order will be undesirable.  For example - in the case of a SKU with customizable options (color, size, engraved text, or other custom options) and multiple "versions" of that SKU are desired (eg, ordering 4 items of the same SKU with different size/color/text on each).  In those cases, a customer may want to delete one "version" of the ordered item and keep the others.

The choice to have every item on it's own line was a pragmatic decision at this stage to reduce coding/debugging to get a workable system out as quickly as I was able - but at least SOME of the update code exists already.  An update to a quantity of 0 will remove the line-item from the order.

Additional orders for the same SKU can be aggregated using the before_additem hooks to check to see if there is an item with that SKU in the order already and doing and UPDATE instead of an ADD.  This should be done using the cart_order_before_additem_$itemtype hook - because some types of items should not be aggregated (see notes above) so you don't want to apply it to ALL items of the same SKU, just those of itemtypes for which it is appropriate.
Mario Vavti
@M. Dent i slightly changed a query of your last MR.
See here:

Not sure what you tried to accomplish but i think the result should be the same. Using distinct on id seems redundant since id will be always unique in this table. If you were just looking for one id that is not fulfilled, limit 1 is probably the better choice...

Please review!
M. Dent
(previous comment deleted.)

Looks good! Thanks!
M. Dent
That was a bit of earlier code probably put in at 2:30 am.  I noticed during debugging of the service_class code that it was failing and tried to fix the semantics without thinking about what it was actually doing.

Mario Vavti
@M. Dent i wonder what your plans with $session_orderhash and $query_orderhash are.
As it's implemented now in cart_getorderhash(), after adding an item to the cart it will not look to the DB again. Hence, if ordering from two different browsers (respectively sessions), they don't actually know from each other.
Is this behaviour intended?

!Hubzilla Development
M. Dent
Actually, they should know about each other.  Here's what the flow is currently.  I see some issues (described below) which I will fix this morning.

1) If there is a QUERY variable "cart" use that as the orderhash
2) If there is no QUERY variable "cart" - use the session variable as the orderhash
3) a) If we have an order hash ---> Check to make sure that the order associated with the orderhash:
     1) exists
     2) belongs to the observer
     3) has not been checked out.
    b) If we do not have an order hash (no query / no session) grab the first order for this buyer that is not checked out & set the session variable.

With the current implementation, if there is only one "store" on the server the two browser scenario isn't a problem.  The second browser will grab the currently open order from the database.  If there is more than one store, it may or may not depending on if it happens to grab the order for the current "store."  That's problem #1.

Problem #2 is, currently, if the get/session order is invalid, it will not probe the database but return null or a new order hash.

Problem #3 is that currently if using the "cart" query variable, the orderhash isn't updated in the session, so on the off chance a customer has more than one valid open order in a given store, it's possible to start the checkout process on one cart and be dropped into a different cart part way through.

Those should be fairly easy fixes - and you should have a merge request for them soon.

Problem #4 (similar to #3) is that because the session variable isn't set when using the query variable, it may be possible to have two separate open orders created by the same customer with no ability to switch from one cart to another.  It would be a rare occurance, but is (currently) possible.  As long as this is possible, it remains a little harder to solve.  The goal is to make this impossible. (which the fixes for the above should do).

Problem #5 has to do with trying to have 2 different users/profiles using the same browser session.  But Hubzilla doesn't currently seem to handle that gracefully, so I'm not sure that scenario is fixable.

The $query_orderhash is intended to allow things like direct links to abandoned carts or the ability to start the checkout/update process on an abandoned cart on the outside chance of multiple open orders for the same customer.

Only kind of related:  I wanted to ask/talk about the removeitem functions you added which I will do in a separate thread.
M. Dent
getorderhash updates included in recent PR (that replaces the PR I submitted overnight - I really need to NOT submit PR's at 2:30 AM... nothing good ever comes of it).

M. Dent
Mike has spoken for himself regarding his role in Hubzilla development - but this may provide a view from another mature developer of a major project who was "Benevolent Dictator For Life" that has removed himself from that role:

M. Dent
In putting together the PAYPAL integration for the CART plugin, I discovered more about the depth of the security consciousness of the devs (OK, let's be honest, probably Mike!). -  They (he?) thought of everything, it seems.  Including "Content-Security-Policy" headers.

In the case of PAYPAL (and other payment processors), there's a need to modify the CSP to allow the checkout.js script from PAYPAL to run (optimally [according to them] it should be loaded from THEIR server).  This is something that numerous others do as well (eg. STRIPE - a creditcard processor)].  But as is, the Content-Security-Policy breaks loading of off-site scripts.

One solution is to weaken security and turn off Content-Security-Policy headers in .htconfig.php, as the comment indicates:

// These lines set additional security headers to be sent with all responses
// You may wish to set transport_security_header to 0 if your server already sends
// this header. content_security_policy may need to be disabled if you wish to
// run the piwik analytics plugin or include other offsite resources on a page

It seems, thought, that the list of things that may require disabling is only likely to grow, and I really like the CSP restrictions.

There are a several ways to make it so the CSP can be manipulated - but it seems to me that the best solution is one that allows addon authors to change the string in a context dependent manner rather than needing to directly manipulate the string (and possibly remove or corrupt something important).  

As a proposal, I suggest a hook based solution - which would allow the inclusion through a registered hook or by using the Hook::insert() function for inclusion in narrowly contexts (eg., only scripts from a certain offsite host are only permitted in pages originating with a specific plugin).

Anyway, here's the proposed code for initial review/consideration.  If there are better implementations - that'd be great - this is just a first stab.  If it looks OK as is, I'll submit a Merge Request.

FILE: boot.php

        if(App::$config['system']['content_security_policy']) {
                $cspsettings = Array (
                        'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"),
                        'style-src' => Array ("'self'","'unsafe-inline'")

                // Legitimate CSP directives (cxref:
                        "default-src", "script-src", "style-src",
                        "img-src", "connect-src", "font-src",
                        "object-src", "media-src", 'frame-src',
                        'sandbox', 'report-uri', 'child-src',
                        'form-action', 'frame-ancestors', 'plugin-types'
                $cspheader = "Content-Security-Policy:";
                foreach ($cspsettings as $cspdirective => $csp) {
                        if (!in_array($cspdirective,$validcspdirectives)) {
                                logger("INVALID CSP DIRECTIVE: ".$cspdirective,LOGGER_NORMAL);
                        $cspsetpolicy = implode(' ',$cspsettingsarray);
                        if ($cspsetpolicy) {
                                $cspheader .= " ".$cspdirective." ".$cspsetpolicy.";";
                //Original CSP Header
                //header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");
M. Dent
Good point... of course, I read this literally 10 seconds after submitting the Merge Request.   I'll resubmit.

Perhaps switching to DEBUG or even TRACE?  Or just drop it entirely?
Mike Macgirvin
If you've already submitted - leave it. Feel sorry for the person that triggers it.
M. Dent
Knowing my luck..... it'll be me! LOL
  last edited: Thu, 12 Jul 2018 08:21:31 -0400  
poVoqpoVoq wrote the following post Thu, 12 Jul 2018 08:12:58 -0400
Actually, looking at it a bit closer this is not a server wide thing, but a per channel setting... thus really only for individual app passwords etc.

Would be nice though if Hubzilla would also support OpenID Connect provision. That way HubZilla could act as a identity management (already very nice with all the profile settings) for various other webservices provided by the hub-server. And given the easy to use nomadic identities this would link together multiple servers with one ID.

I think this Drupal plugin provides a similar functionality, so maybe a good starting point for someone looking into this?

@Mike Macgirvin Am I right in assuming the following: Through Zot Hubzilla provides a sort of SSO across multiple servers, thus if you have a cloned channel on a server you automatically log into the site when visiting. Thus if that server would provide SSO through OpenID Connect, one would also automatically log into any other non-hubzilla webservices on that server, right? That would make for a really easy to use and convenient multi-server SSO solution :)

!Hubzilla Development

Seems like this kind of OpenID Connect provision would be a really useful feature to have in Hubzilla for SSO.

It's a bit above my head to implement such a core feature, but given the existing OAuth2 server in Hubzilla it might not be that hard to do?
Mike Macgirvin
The existing OAuth2 server implements OpenIDConnect.
  last edited: Thu, 12 Jul 2018 10:30:26 -0400  
That's great!

But what I don't see is a way for the main administrator to generate a general id&token to configure other sites.

What seems possible is to create these as a channel owner in the settings page. But if I would then configure my (for examble) Wordpress page to have a nice "Log in with Hubzilla" button using OpenID Connect then only the channel owner would be able to use it, but none of the other users of my hub I think.

Or am I missing something?

Max Kostikov
 Königsberg, Russia,  last edited: Wed, 11 Jul 2018 06:55:32 -0400  
!Hubzilla Support Forum !Hubzilla Development
I just found an issue with links in Hubzilla comments.
If I press on name in redirects to user channel but shows me a banner "channel not found".
Lets say Mario Vavti name in comment have link

but if I press on it adds after & its HTML analogue amp; and brokes URL


But for example for Mike Macgirvin it works.
I didn't saw such behaviour before. May be latest commits broke redirection.
Mario Vavti
  last edited: Thu, 12 Jul 2018 15:34:18 -0400  
@Mike Macgirvin i still see this issue between two dev sites:
Have not found yet a way to reliably duplicate but it definitely happens sometimes...

EDIT: possibly nginx behaves different from apache?
Mario Vavti
@Max Kostikov i plan to release an RC next week if nothing blows up meanwhile...
Max Kostikov
It would be great!
BTW me and my Hubzilla friends opened few tickets in issue tracker on Framagit. I hope you will have time to check it.
Mike, Mario and other guys involved - many thanks for Hubzilla!

  last edited: Wed, 11 Jul 2018 09:07:13 -0400  
!Hubzilla Development
I just saw Mike's post about Zot6, denim, zap and vassal. Does that mean that those new apps will replace hubzilla in terms of priority, development etc (i read zot6 will be backported to hubzilla which usually suggest that thats the case)?
Or at least shift the focus to those new apps instead of hubzilla? Is there a point to actively work and improve on hubzilla and promote it if in few weeks/months we might be switching to new thing?
Mike Macgirvin
You mean turn all the extra features etc. into apps?


similar to what it is now but with more explanations etc

  last edited: Thu, 12 Jul 2018 12:34:57 -0400  
Hubzilla is a platform and develop could code for that platform all kind of things... I mean it should work like it did for other cms systems as well... all this plugins that come up after a while for WP...
But for some reasons this does not happen for Hubzilla.... Now the new apps of Mike might be an other try to spread the best parts of Hubzilla out in the world  again -  in the hope  this new apps catch fire among developers.
Mike Macgirvin
I've brought all the recent addon/app work to the red/hubzilla tree. I will also try to (where possible) get some of the Zot6 code moved over so that it can start to be integrated. There are some major unresolvable conflicts - most notably Daemon/Notifier; but I'll do what I can to keep Hubzilla moving forward and not let it lag.

M. Dent
Submitted a merge request to addons/dev to integrate a PayPal payments interface to the cart system.  Various updates to the rudimentary administration tools and (you guessed it) more hooks for custom additions.  Hopefully I can do some basic docs.  To use, you need to set up Paypal API Keys (Client/Secret) for the REST API.  (see for instructions)

In order to use the PAYPAL checkout flow, CONTENT-SECURITY-POLICY headers must be disabled in .htconfig.php  (Would love a hookable architecture for CSP so that plugins can add items rather than needing to disable the policy entirely - any takers?)

@Mario Vavti @Andrew Manning  @Mike Macgirvin
M. Dent
Ok, I have some other things to do but should be able to get a patch submitted before the weekend.
Mike Macgirvin
I've already patched but haven't committed yet. I'll push it  later today.
M. Dent
Wow! awesome, thanks!
Andrew Manning
I was trying to make a few Cards to see how one might combine existing Hubzilla tools to create a voting mechanism where people can choose from multiple options, and I discovered that once you vote you cannot revoke your choice like you can a like/dislike. I selected "Agree" then "Disagree" then "Abstain" and all three were recorded with my name, but I was unable to reverse those selections.
Mike Macgirvin
There's DB support for truly federated polls (the structures will work cross-platform with poll mechanisms in Diaspora, StatusNet and ActivityPub). There's no code support at this time. If anybody reading this want's to take it on, I'd suggest that the ActivityStreams format may be the ideal storage format for Hubzilla because it will map directly to Zot6 and ActivityPub.

Code exists in the consensus tools (implemented in the Like module) to undo (e.g. delete) all previous votes when making a new selection. This has worked fine in the past and hasn't changed in years so would require further investigation.

Hello Hubzillians,

Thanks to everybody, we now have enough names to start a poll so this is what we did.
Here is the link.
Poll stays open until 03-08-2018
Thank you.

Max Kostikov
 Königsberg, Russia,  last edited: Sun, 01 Jul 2018 16:25:41 -0400  
!Hubzilla Development
I'm use Hubzilla with latest PHP 7.2 release under FreeBSD environment (H2O HTTP/2 web-server + PHP-FPM).
It works quite fast but I think it can be faster with PHP opcache.
Perhaps experienced Hubzilla hub owners have any recommendations on opcache settings?
 from Diaspora
Czy ten wpis jest widoczny na Hubzilli?
!Hubzilla Development

Ta linijka dziwnie wygląda na Diasporze.
Max Kostikov
  last edited: Thu, 12 Jul 2018 15:26:52 -0400  
Well, let me publish my results on #PHP opcache usage with #Hubzilla.
As I wrote above I'm use PHP 7.2 in #FreeBSD 11.2 environment.
I installed php72-opcache package and changed only two parameters vs default configuration

root@beta:/usr/local/www/ # cat /usr/local/etc/php/ext-10-opcache.ini

After about a week of usage I might say that 64Mb memory buffer for opcache is more that enough not only for Hubzilla, but for other stuff that I have on same server (e.g. Roundcube, my own blog based on #Bludit flatfile #CMS and phpMyAdmin).
Memory consumption is remains less than 50Mb with cache hit rate about 99.96%.


Here is scripts usage visualisation.


And about performance. I didn't run special benchmarks but subjectively page load speed was dramatically increased. So I can recommend to use opcache for Hubzilla.