but seriously can we please get federated reports so that "oh, just post a message at the admin" and "oh, just register an account on that instance and report them from that" aren't the solutions because Fuck
ALSO if you do this make it so that reports from other instances only have a uuid based on the reporters full handle [username@domain] so that rogue admins cannot find people reporting bad behavior but good admins can block bad reporters based on a unique identifier
@boots Good idea! I think the simplest way to do this might be for each instance to have a random secret, and replace the reporter's username with an HMAC of the secret and the username.
@jamey yeah, i was just thinking
sha-[good number] "[salt][username][salt?]@[instance]"
@boots I think that's OK as long as the "salt" is kept secret (so it's not exactly a salt, right?) and unchanged every time that user files a report, but I'd feel more confident using a standard crypto construction such as HMAC. If the salt isn't secret, then it's easy to guess-and-check which username hashed to that UUID. If it is secret, then using the same one across a whole instance should be safe. ...I think.
@boots Maybe you've seen a usage of the term I haven't, I don't know either! In hashed passwords the salt has to be stored in cleartext along with the hash or you can't check the password later. But I'm just nitpicking terminology now, I think.