[users] Public Gemini hosting?

1. Jason McBrayer (jmcbray (a) carcosa.net)

Hi. I'm writing up a quick-start guide for Gemini newcomers who don't
have technical backgrounds, and I'm currently working on the section on
publishing on Gemini. Most of the target audience of this guide will
need to use web-based publishing tools like Flounder, Gemlog.Blue, the
Midnight Pub, and so on. But in case anyone is looking for something
between that and self-hosting, I'd like to provide some options.

I know about SourceHut Pages. I'm pretty sure several tildes provide
Gemini hosting for their members, but I haven't looked into them
deeply. Does anyone else know of any other free or paid Gemini hosting
sites?

-- 
Jason McBrayer      | β€œStrange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
                    | but stranger still is lost Carcosa.”
                    | ― Robert W. Chambers,The King in Yellow

Link to individual message.

2. Rohan Kumar (seirdy (a) seirdy.one)

On Wed, Apr 07, 2021 at 03:50:48PM -0400, Jason McBrayer wrote:
> I know about SourceHut Pages. I'm pretty sure several tildes provide
> Gemini hosting for their members, but I haven't looked into them
> deeply. Does anyone else know of any other free or paid Gemini hosting
> sites?

- sdf.org recently got Gemini support. It's a pubnix server, but not 	part 
of the Tildeverse.
- As you stated, many tildes offer Gemini hosting.
- VPSes are always an option. Oracle's free VPS is the only decent 	
product/service offered by Oracle I know of.

-- /Seirdy

Link to individual message.

3. Mansfield (mansfield (a) ondollo.com)

On Wed, Apr 7, 2021 at 1:51 PM Jason McBrayer <jmcbray@carcosa.net> wrote:

> Hi. I'm writing up a quick-start guide for Gemini newcomers who don't
> have technical backgrounds, and I'm currently working on the section on
> publishing on Gemini. Most of the target audience of this guide will
> need to use web-based publishing tools like Flounder, Gemlog.Blue, the
> Midnight Pub, and so on. But in case anyone is looking for something
> between that and self-hosting, I'd like to provide some options.
>
> I know about SourceHut Pages. I'm pretty sure several tildes provide
> Gemini hosting for their members, but I haven't looked into them
> deeply. Does anyone else know of any other free or paid Gemini hosting
> sites?
>
> --
> Jason McBrayer      | β€œStrange is the night where black stars rise,
> jmcbray@carcosa.net | and strange moons circle through the skies,
>                     | but stranger still is lost Carcosa.”
>                     | ― Robert W. Chambers,The King in Yellow
>


https://ondollo.com/mansfield currently offers free gemini hosting.

Thanks for asking, and thanks for writing up something to help newcomers!

Link to individual message.

4. Nathan Galt (mailinglists (a) ngalt.com)

On Wed, Apr 7, 2021, at 12:50 PM, Jason McBrayer wrote:
> Hi. I'm writing up a quick-start guide for Gemini newcomers who don't
> have technical backgrounds, and I'm currently working on the section on
> publishing on Gemini. Most of the target audience of this guide will
> need to use web-based publishing tools like Flounder, Gemlog.Blue, the
> Midnight Pub, and so on. But in case anyone is looking for something
> between that and self-hosting, I'd like to provide some options.
> 
> I know about SourceHut Pages. I'm pretty sure several tildes provide
> Gemini hosting for their members, but I haven't looked into them
> deeply. Does anyone else know of any other free or paid Gemini hosting
> sites?

Off the top of my bookmarks folder, all free:

- gemini://main-street.nightfall.city/real-estate/
- gemini://koyu.space/
- gemini://g.jae.moe/

Link to individual message.

5. Stefano Costa (steko (a) iosa.it)


Link to individual message.

6. Jason McBrayer (jmcbray (a) carcosa.net)


Mansfield writes:

> https://ondollo.com/mansfield currently offers free gemini hosting.

> Thanks for asking, and thanks for writing up something to help
> newcomers!

Hi! I'm deeply ambivalent about recommending your application to new
users. On the one hand, your app does *almost exactly* what I think is
the Right Thing for Gemini publishing: provide a unified native app for
both reading and publishing, with integrated account creation. I
honestly want to commend you for that.

On the other hand, neither your client nor your server are Free
Software. I can't really recommend to new users to run an untrusted
binary that I can't provide any security/privacy assurances for. Despite
my interest, I haven't even run it myself, for that reason.

Likewise, the client locks the user into using your server for
publishing. While that's certainly the easiest approach starting out,
I'd rather see an open standard for registration and publishing,
preferably using existing protocols.

Again, thanks for doing this experiment, because I think it's the right
direction for things to go; I just can't recommend it to new users at
this time.

-- 
Jason McBrayer      | β€œStrange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
                    | but stranger still is lost Carcosa.”
                    | ― Robert W. Chambers,The King in Yellow

Link to individual message.

7. Jason McBrayer (jmcbray (a) carcosa.net)


Nathan Galt writes:

> Off the top of my bookmarks folder, all free:
>
> - gemini://main-street.nightfall.city/real-estate/
> - gemini://koyu.space/
> - gemini://g.jae.moe/

Thanks; I'll look into these (as well as the pubnixes).

-- 
Jason McBrayer      | β€œStrange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
                    | but stranger still is lost Carcosa.”
                    | ― Robert W. Chambers,The King in Yellow

Link to individual message.

8. Mansfield (mansfield (a) ondollo.com)

On Thu, Apr 8, 2021 at 9:20 AM Jason McBrayer <jmcbray@carcosa.net> wrote:

>
> Mansfield writes:
>
> > https://ondollo.com/mansfield currently offers free gemini hosting.
>
> > Thanks for asking, and thanks for writing up something to help
> > newcomers!
>
> Hi! I'm deeply ambivalent about recommending your application to new
> users. On the one hand, your app does *almost exactly* what I think is
> the Right Thing for Gemini publishing: provide a unified native app for
> both reading and publishing, with integrated account creation. I
> honestly want to commend you for that.
>
>
Thanks! I think we're meeting our original objective in providing something
that goes from nowhere to creating content in Geminispace with as little
work or explanation as possible. That's awesome that you feel that way too.


> On the other hand, neither your client nor your server are Free
> Software. I can't really recommend to new users to run an untrusted
> binary that I can't provide any security/privacy assurances for. Despite
> my interest, I haven't even run it myself, for that reason.
>

Yeah, the untrusted part is something we're still working through. I doubt
I would run it myself if I hadn't written it! :-D

I also think that paying to sign the binaries would still *not* be enough,
right? At least, from my perspective (imagining I hadn't written it) I
would still not trust the client or server.


> Likewise, the client locks the user into using your server for
> publishing. While that's certainly the easiest approach starting out,
> I'd rather see an open standard for registration and publishing,
> preferably using existing protocols.
>
>
Interesting perspective... I think I would have characterized it
differently, but that's OK. When you mention 'using existing protocols', I
would assume you mean SSH - is that what you were meaning?


> Again, thanks for doing this experiment, because I think it's the right
> direction for things to go; I just can't recommend it to new users at
> this time.
>
> --
> Jason McBrayer      | β€œStrange is the night where black stars rise,
> jmcbray@carcosa.net | and strange moons circle through the skies,
>                     | but stranger still is lost Carcosa.”
>                     | ― Robert W. Chambers,The King in Yellow
>

Makes sense. I'll keep chipping away at something to see if progress can be
made.

I think, from your perspective, you're looking for something that is...
open source... and that uses a more standard approach for registering and
publishing, right?

Maybe if the client were written to run in the browser? But then the server
wouldn't be open... humm... though... I'm curious... is there *any* server
that is running where the code being run can be verified? I could see
someone saying, "I'm running the open source version of FOO as the server",
but they could have tweaked it to be FOO' or something... thoughts?

Again - thanks! We'll keep thinking about this.

Link to individual message.

9. Stephane Bortzmeyer (stephane (a) sources.org)

On Wed, Apr 07, 2021 at 03:50:48PM -0400,
 Jason McBrayer <jmcbray@carcosa.net> wrote 
 a message of 17 lines which said:

> I know about SourceHut Pages. I'm pretty sure several tildes provide
> Gemini hosting for their members, but I haven't looked into them
> deeply. Does anyone else know of any other free or paid Gemini hosting
> sites?

The medusae.space directory has everything:

gemini://medusae.space/search_all.gmi?hosting

Link to individual message.

10. Jason McBrayer (jmcbray (a) carcosa.net)


Mansfield writes:


> I also think that paying to sign the binaries would still *not* be
> enough, right? At least, from my perspective (imagining I hadn't
> written it) I would still not trust the client or server.

It's hard to say. I lean towards no... I know on proprietary OSes that
people do normally download and run signed binaries, and that this is
the level of trust that's normal to them.  But so far, I haven't
recommended anything that's not Free Software...

>  Likewise, the client locks the user into using your server for
>  publishing. While that's certainly the easiest approach starting out,
>  I'd rather see an open standard for registration and publishing,
>  preferably using existing protocols.
>
> Interesting perspective... I think I would have characterized it
> differently, but that's OK. When you mention 'using existing
> protocols', I would assume you mean SSH - is that what you were
> meaning?

SSH would in some ways be the best option. It's secure, and easy for the
server admins to set up and permission. But it makes a cross-platform
client harder, particularly on Windows (no vendor-supplied scp binary,
and it's known to be very hard to build libssh2 there). FTP is an
option, but it has privacy/security issues, and supporting libraries
often don't support FTPS. There's a case to be made for using HTTPS,
honestly, but I'd like to avoid web platform stuff by default (i.e.,
unless it's clearly the best choice).

> I think, from your perspective, you're looking for something that
> is... open source... and that uses a more standard approach for
> registering and publishing, right?

Yes. I'm actually working In My Copious Free Time on a standard and
a reference implementation for doing this, but I wouldn't expect real
fast progress. It's just at the thinking and taking notes stage.

> Maybe if the client were written to run in the browser?

There are actually several browser-based Gemini posting options
(midnight.pub, gemlog.blue, flounder.online), but I'm interested in
native apps, in the interest of fully decoupling from the WWW.

> But then the server wouldn't be open... humm... though... I'm
> curious... is there *any* server that is running where the code being
> run can be verified? I could see someone saying, "I'm running the open
> source version of FOO as the server", but they could have tweaked it
> to be FOO' or something... thoughts?

Most Gemini servers are FLOSS, but yes, there's no way to verify that
the code running on the server is exactly the public released code. I
don't see this as quite as essential as being able to trust the client
code, because if you're hosting your documents on someone else's server,
you've got to trust them to a certain extent anyway, and you're not
letting someone run code on your machine, with potential access to your
data that you haven't shared.

-- 
Jason McBrayer      | β€œStrange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
                    | but stranger still is lost Carcosa.”
                    | ― Robert W. Chambers,The King in Yellow

Link to individual message.

11. almaember (almaember (a) disroot.org)

On Fri, 09 Apr 2021 09:44:01 -0400
Jason McBrayer <jmcbray@carcosa.net> wrote:

> SSH would in some ways be the best option. It's secure, and easy for
> the server admins to set up and permission. But it makes a
> cross-platform client harder, particularly on Windows (no
> vendor-supplied scp binary, and it's known to be very hard to build
> libssh2 there).

Actually, Windows 10 now comes with OpenSSH by default, and it has the
SCP command that can be used the same way you'd use it on Unices. 

And since essentially all the other MSWindows versions are unsupported
(except for 8.1, which, let's be real, nobody uses).

So that shouldn't be a big problem.

~almaember

Link to individual message.

12. Jason McBrayer (jmcbray (a) carcosa.net)

almaember writes:
> Actually, Windows 10 now comes with OpenSSH by default, and it has the
> SCP command that can be used the same way you'd use it on Unices. 

That's good to know, though I get the feeling that Windows 7 is more
widely used than is probably healthy.

Libssh2 would be *nicer*, but it's good to know that you can shell out
to scp on Windows 10 at worst.

-- 
Jason McBrayer      | β€œStrange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
                    | but stranger still is lost Carcosa.”
                    | ― Robert W. Chambers,The King in Yellow

Link to individual message.

13. nervuri (nervuri (a) disroot.org)

On Thu, 2021-04-08, Mansfield wrote:
> I'm curious... is there *any* server that is running where the code
> being run can be verified? I could see someone saying, "I'm running the
> open source version of FOO as the server", but they could have tweaked
> it to be FOO' or something... thoughts?

Look into remote attestation - TPM-based cryptographic assurance that
remote code is what it's supposed to be.  It's a DRM-type scheme,
relying on a secret key being stored in hardware, so it's not ultimately
trustworthy, but it does raise the bar.  Signal makes use of the Intel
SGX variant [1], although it has its share of problems [2].

> SGX allows applications to provision a β€œsecure enclave” that is
> isolated from the host operating system and kernel, similar to
> technologies like ARM’s TrustZone. SGX enclaves also support remote
> attestation. Remote attestation provides a cryptographic guarantee of
> the code that is running in a remote enclave over a network.

> An SGX enclave on the server would enable a service to perform
> computations on encrypted client data without learning the content of
> the data or the result of the computation.

[1] https://signal.org/blog/secure-value-recovery/#deus-sgx-machina
[2] https://medium.com/@maniacbolts/signal-increases-their-reliance-on-sgx-f46378f336d3


As for your application, I agree with Jason McBrayer: good idea, but I
would not use or recommend it unless it is libre software.

Link to individual message.

---

Previous Thread: Raw Public Keys - RFC 7250

Next Thread: [tech] support for Ed25519 in clients