💾 Archived View for rawtext.club › ~sloum › geminilist › 000595.gmi captured on 2020-09-24 at 02:27:45. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
solderpunk solderpunk at SDF.ORG
Thu May 14 16:08:11 BST 2020
- - - - - - - - - - - - - - - - - - - ``` On Thu, May 14, 2020 at 12:35:45PM +0000, tiwesdaeg at tilde.pink wrote: > I'm using molly-brown currently, because I like how it handles user > public_gemini directories. Full cgi support would be nice. I've been meaning to write a gemlog about this for ages, but never seemto have the time... GCI support in Molly Brown scares the pants off me. Go doesn't reliablysupport setuid() and this totally breaks all the standard pradigms ofunix server design. In particular, I can find no way for MB to spawn aCGI process which doesn't run as the same user as MB itself, andtherefore necessarily has the ability to read the TLS private key filesand write to the log file, which is obviously a massive security hole.Because the MB process never runs as root, it's not possible to chrootthe CGI processes somewhere they couldn't see those files, either. I'm frankly baffled that a language with Ken Thompson and Rob Pike asdesigners, created specifically to help Google engineers write serversoftware, could turn out to be so terrible for...writing servers onunix. I can only imagine this has happened because nobody at Googlewould ever do something so terribly mundane and non-scalable as forkoff an entire whole new process on the same machine to generate somecontent. Probably there'd be ten layers of containers and proxying andreverse-proxying and other Cloudian faff keeping the content-generatingprocesses separated from the server processes so that uids were a quaintand irrelevant consideration. (if any Go wizards have recently joined the list and can correct me onany of the above I'd be thrilled) If you're just running your own server and you have control over the CGIcode, then go for it and be careful. In a pubnix type environment whereyou are letting third parties upload stuff, you basically need to beextremely careful, use the configuration to restrict CGI to directorieswritable only by people you really trust or will actively verify thecode of. This was the reason that I pondered a few months back on this list somekind of FastCGI-esque system for a Gemini server to communicate with aprocess it didn't spawn itself over a domain socket or similar. Butmaybe I should just give up on Go for servers (this exact same issueaffects Shizaru, too.). Cheers,Solderpunk > Thanks for all the hard work all you software developers are doing! > > On Thu, May 14, 2020 at 04:50:41AM -0400, Sean Conner wrote: > > It was thus said that the Great Ecmel Berk Canl?er once stated: > > > Hello all! > > > > > > I've been checking out the mailing list and reading about Gemini every > > > now and then, and decided to try and host a Gemini server for my blog. > > > > > > One question I had is: Which server software is the most mature one? > > > > What do you mean by "most mature"? By age, it's GLV-1.12556 (disclaimer: > > I wrote it). By feature set, it's a toss-up between GLV-1.12556: > > > > * support for any type of documents (from multiple directories) > > * CGI (both Gemini and HTTP specific, RFC-3875 compliant) > > * user directories > > * client certificate support > > * easy to extend with custom modules (if you know Lua) > > > > and Gemserv: > > > > * support for any type of document > > * CGI (Gemini only, not quite RFC-3875 compliant) > > * user directories > > * reverse proxy > > * virtual hosts > > > > Both have recent updates. By popularity, last time I checked, it was > > JetForce (which also has had recent updates). Of the three mentioned, > > JetForce is in Python, Gemserv in Rust, and GLV-1.12556 in Lua. The lack of > > virtual hosting in GLV-1.12556 is because I lack experience in dealing with > > server certificates with multple hosts, and because of that, I can't exactly > > test that feature. > > > > > On the software list [1], there is no description about the state and > > > feature set of any of the listed server software. > > > > > > [1]: gemini://gemini.circumlunar.space/software/ > > > > > > I only need to serve static files, as everything else happens on a > > > static site generator before being uploaded. > > > > If that's the case, then most of the servers would probably work, it then > > comes down to which language do you have available for compiling/running the > > server. > > > > -spc