💾 Archived View for gem.splatt9990.com › post-1-Upgrading-Gemini.gmi captured on 2023-09-28 at 15:30:46. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-05-24)
-=-=-=-=-=-=-
This is the first post out of my 100 days to offload challenge.
Well I hate to do it, but unfortunately the somewhat bit-rotten state of this gemini server mandates it. I have to talk about what I'm software I'm using to host my gemini server. Sorry...
I originally started this capsule on a small VM on my home lab. I pretty much found out about gemini and spun a VM to host it. As part of that, I chose gmnisrv as my server implementation. Fast-forward to now, and gmnisrv is no longer maintained (it was Drew DeVault's implementation and he abandoned it when he left geminispace.) Given it's a gemini server and it was pretty feature complete, this wouldn't have normally been a problem. However, I originally started this VM on Fedora 33 (the then current version of Fedora.) Well Fedora doesn't really do LTS, so it's long been out of support. Hosting networked software on the public internet using abandoned, memory-unsafe software on an unsupported OS is a recipe for trouble, even with Gemini. So I figured I should probably at least update my OS so I'd still get security updates, right? Well it turns out, starting with Fedora 37, Red Hat ships OpenSSL v3.x and gmnisrv assumes that it's linking against OpenSSL v1.1.x. After upgrading my OS, gmnisrv would no longer compile on the system. Cue internal screaming...
At this point, I had a few choices. I could attempt to patch gmnisrv myself, I could compile and maintain 1.1.x OpenSSL (and hope that's the only issue with using gmnisrv), or I could just move to a different, maintained server software. Given I've no familiarity with OpenSSL and that library closely resembles a creeping, eldritch horror, the first option quickly became a non-starter. Getting, compiling, and (most difficultly) attempting to force gmnisrv to link against a 1.1.x copy of OpenSSL probably would have been possible, if a real PITA, but I didn't fancy having a vendored version of OpenSSL which could cause issues with installing future updates (i.e. software attempting to link to it rather than the official OpenSSL) so that option was also not a great idea. Also, who knows if there's another Heartbleed-style bug lurking in 1.1? So that left getting a new gemini server. After some shopping around, I decided on gmid. Like gmnisrv, it's written in C and has minimal dependencies, but also has several nice features. It doesn't handle generating it's own certs but I was just able to reuse the one's that gmnisrv generated instead (TOFU certs are issued for 100 years, so they're good for a while.) Gmid also has a much nicer configuration language, somewhat similar in syntax to nginx's.
After struggling a bit to alter my systemd configuration for the server (gmnisrv just ran in the foreground, gmid forks like a proper daemon) I finally got the server back up and running properly. So we'll see how it goes. Maybe I won't have to worry about it for another 2 years and we can continue to not drag on about which software we're running our capsules on.