πΎ Archived View for gem.benscraft.info βΊ mailing-list βΊ messages βΊ 181 captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content
β¬ οΈ Previous capture (2021-12-03)
-=-=-=-=-=-=-
- Jason McBrayer <jmcbray at carcosa.net>
@ Fri, 09 Apr 2021 09:44 -0400
Reply to Mansfield <mansfield at ondollo.com>
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Mansfield writes:
I also think that paying to sign the binaries would still *not* be
enough, right? At least, from my perspective (imagining I hadn't
written it) I would still not trust the client or server.
It's hard to say. I lean towards no... I know on proprietary OSes that
people do normally download and run signed binaries, and that this is
the level of trust that's normal to them. But so far, I haven't
recommended anything that's not Free Software...
Likewise, the client locks the user into using your server for
publishing. While that's certainly the easiest approach starting out,
I'd rather see an open standard for registration and publishing,
preferably using existing protocols.
Interesting perspective... I think I would have characterized it
differently, but that's OK. When you mention 'using existing
protocols', I would assume you mean SSH - is that what you were
meaning?
SSH would in some ways be the best option. It's secure, and easy for the
server admins to set up and permission. But it makes a cross-platform
client harder, particularly on Windows (no vendor-supplied scp binary,
and it's known to be very hard to build libssh2 there). FTP is an
option, but it has privacy/security issues, and supporting libraries
often don't support FTPS. There's a case to be made for using HTTPS,
honestly, but I'd like to avoid web platform stuff by default (i.e.,
unless it's clearly the best choice).
I think, from your perspective, you're looking for something that
is... open source... and that uses a more standard approach for
registering and publishing, right?
Yes. I'm actually working In My Copious Free Time on a standard and
a reference implementation for doing this, but I wouldn't expect real
fast progress. It's just at the thinking and taking notes stage.
Maybe if the client were written to run in the browser?
There are actually several browser-based Gemini posting options
(midnight.pub, gemlog.blue, flounder.online), but I'm interested in
native apps, in the interest of fully decoupling from the WWW.
But then the server wouldn't be open... humm... though... I'm
curious... is there *any* server that is running where the code being
run can be verified? I could see someone saying, "I'm running the open
source version of FOO as the server", but they could have tweaked it
to be FOO' or something... thoughts?
Most Gemini servers are FLOSS, but yes, there's no way to verify that
the code running on the server is exactly the public released code. I
don't see this as quite as essential as being able to trust the client
code, because if you're hosting your documents on someone else's server,
you've got to trust them to a certain extent anyway, and you're not
letting someone run code on your machine, with potential access to your
data that you haven't shared.
--
Jason McBrayer | βStrange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
| but stranger still is lost Carcosa.β
| β Robert W. Chambers,The King in Yellow
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ