💾 Archived View for libreserver.org › rss.xml captured on 2024-05-26 at 14:36:09.
⬅️ Previous capture (2024-03-21)
-=-=-=-=-=-=-
<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<atom:link href="https://blog.libreserver.org/rss.xml" rel="self" type="application/rss+xml"/>
<title>LibreServer Blog</title>
<link>gemini://libreserver.org/blog</link>
<description>LibreServer is a home server system which enables you to run your own internet services, individually or as a household. It includes all of the things you'd expect such as email, chat, VoIP, web sites, wikis, blogs, social networks, media hosting and more. You can run Freedombone on an old laptop or single board computer. No ads and no built-in spying.</description>
<lastBuildDate>Mon, 22 Jan 2024 10:35:07 +0000</lastBuildDate>
<item>
<title>Epicyon release version 1.5.0 "Bounding Basset"</title>
<link>gemini://libreserver.org/blog/epicyon-release-version-1-5-0-bounding-beagle.gmi</link>
<description><p>After a year accumulating bug fixes, whack-a-mole protocol updates and other incremental improvements <a href="https://libreserver.org/epicyon">Epicyon</a> version 1.5.0 - codename &quot;Bounding Basset&quot; - is hereby unleashed upon an unsuspecting internet.</p>
<p>The full changelog <a href="https://libreserver.org/epicyon/v1_5_0.html">can be found here</a>.</p>
<p>ActivityPub is still gaining popularity, mainly as the last best option. My impression is that the people leaving Twitter and joining the fediverse are not doing it because they're attracted to the features or decentralisation. They're doing it because there aren't other options which havn't been turned into unmoderated dumpster fires.</p>
<p>Epicyon is about small scale social networks, where the instances are either single user or squad sized with less than ten accounts. It is designed not to scale, and so is the inverse of the common tech paradigm. Small federated affinity groups are a lot more resistant to both technical and social adversaries, and it is possible to scale outwards rather than upwards. It has a html + css user interface with a Python backend, and can be used with javascript turned off or in a shell browser from a console.</p>
<p>If you like this approach you can support the project <a href="https://www.patreon.com/freedombone">on Patreon</a>.</p></description>
<pubDate>Mon, 22 Jan 2024 10:00:39 +0000</pubDate>
<guid isPermaLink="false">d314006ca070e013eeb41e896dc29bdd</guid>
</item>
<item>
<title>Epicyon release version 1.4.0</title>
<link>gemini://libreserver.org/blog/epicyon-release-version-1-4-0.gmi</link>
<description><p>Another year, another version of <a href="https://libreserver.org/epicyon">Epicyon</a>. The details of changes can be <a href="https://libreserver.org/epicyon/v1_4_0.html">found here</a>. Over the last year there have been many bug fixes and small improvements, and I have added more documentation.</p>
<p>Things seem to be going quite well for the fediverse in general, and there also appears to be declining mindshare in the legacy silo systems and in the scammy &quot;web3&quot;. Open standards are making something of a comeback. The fall of Twitter may mean that activists start <a href="https://www.youtube.com/watch?v=96zh0AjCpwA">running their own infrastructure</a> again, and there's the potential for something like another Indymedia to emerge from the smoldering ruins.</p></description>
<pubDate>Mon, 23 Jan 2023 18:59:06 +0000</pubDate>
<guid isPermaLink="false">8a3410ff583c4a6c9e236970aa7f01d1</guid>
</item>
<item>
<title>Emerging from Darkness</title>
<link>gemini://libreserver.org/blog/emerging-from-darkness.gmi</link>
<description><p>With the release of <a href="https://github.com/mastodon/mastodon/releases/tag/v4.0.0">version 4 of Mastodon</a> there has been a problem of links to profile pages or conversation threads &quot;going dark&quot; within shell based browsers, such as <a href="https://lynx.invisible-island.net">Lynx</a>. In version 3.x you would get a text rendering of each page, but now you only get a terse <em>&quot;To use the Mastodon web application, please enable JavaScript&quot;</em> message.</p>
<p>I had been following the philosophy of <em>&quot;do the minimum thing that works&quot;</em> with <a href="https://libreserver.org/epicyon">Epicyon</a>, but after Mastodon 4, just linking directly to Mastodon web content was no longer sufficient to be universally legible. So I have now replaced those direct links with a <em>conversation view</em> and a different way of viewing Mastodon profiles in which the html is all rendered by Epicyon itself. This brings back the otherwise Javascript-shrouded fediverse content, and also has the added advantage that it fully supports <em>authorized fetch</em>, which in Mastodon is known as &quot;secure mode&quot;. It also makes the user interface more consistent looking in shell browsers.</p></description>
<pubDate>Mon, 02 Jan 2023 13:56:57 +0000</pubDate>
<guid isPermaLink="false">39b95e88b460259cd203775c2106d061</guid>
</item>
<item>
<title>Verified sites</title>
<link>gemini://libreserver.org/blog/verified-sites.gmi</link>
<description><p>Mastodon has a feature which enables you to <a href="https://www.zylstra.org/blog/2018/10/mastodon-rel-me">verify that a website in your profile belongs to you</a>, and I've now added the same capability for website and blog links in <a href="https://libreserver.org/epicyon">Epicyon</a>.</p>
<img src="https://blog.libreserver.org/bl-content/uploads/manual-verified-website.jpg" alt="Epicyon profile screen showing a verified website in green">
<p>So if the website contains a <strong>rel=&quot;me&quot;</strong> link back to your profile screen then they both reference each other and the link turns green.</p>
<h3>The Musk Exodus</h3>
<p>The current exodus from Twitter, driven by the hubris of its new owner, is probably the biggest so far. I expect that what he's doing is to knock the thing down to then rebuild it in his own image. For the first time I noticed Mastodon being talked about on the BBC news, and not just as a passing mention but as a segment a few minutes long where the presenter described roughly what it is and how it works. That's a level of promotion which the fediverse has never had previously.</p>
<p>If Musk's plans for Twitter turn out to be unpopular then there is a realistic chance that in the next few years the fediverse will become much more mainstream. Epicyon is written in such a way that even if were billions of active users in the wider fediverse you would still be mostly interacting only with the people that you are following. So you can keep the cosy small world feel even if the network is expansive.</p></description>
<pubDate>Wed, 09 Nov 2022 19:54:02 +0000</pubDate>
<guid isPermaLink="false">aae54531f2797ed2bf451ce484d2d57d</guid>
</item>
<item>
<title>Geospatial Hashtags</title>
<link>gemini://libreserver.org/blog/geospatial-hashtags.gmi</link>
<description><img src="https://blog.libreserver.org/bl-content/uploads/geospatial_hashtags.jpg" alt="Map showing three geolocations">
<p>For a while it has been possible to associate geolocations with posts in <a href="https://libreserver.org/epicyon">Epicyon</a>. You can paste a map link into the location field when creating a new post, or just paste it into the message text. The obvious extension to this is to collate that information under hashtags, so that you can view multiple geolocations from multiple posts on a single map, with the hashtag providing some semantic indication of what those locations mean.</p>
<p>Geospatial hashtags have now been added, so if a hashtag has geolocations associated with it then on the search screen it will appear with a pushpin icon next to it. If you view the posts for a hashtag then if there are geolocations within the posts you will see some additional buttons for different time periods. So for example you could view the geolocations for the previous day or the previous week.</p>
<p>If this all sounds quite abstract, there are real applications for this. You can do things like crowdsourcing the best restaurants in town, or the locations of damage after a storm or sightings of particular bird species on a particular day.</p>
<p>The format being used for map geolocations is currently <a href="https://en.wikipedia.org/wiki/Keyhole_Markup_Language">KML</a>, but also <a href="https://en.wikipedia.org/wiki/GPS_Exchange_Format">GPX</a> can be used as an alternative using the command option <em>--mapFormat</em>. On mobile a KML file can be opened within the <a href="https://osmand.net">OpenStreetMap app</a>, or with <a href="https://marble.kde.org">Marble</a> on a desktop. Using these formats means that minimal code is needed within Epicyon and that no javascript is required.</p>
<p>As far as I know, geospatial hashtags are a novel feature within a social network system. I don't think Twitter does this, or at least if it does then not by default.</p></description>
<pubDate>Wed, 24 Aug 2022 11:42:39 +0100</pubDate>
<guid isPermaLink="false">9c9aca271e262e1390f3f49434e2dd9f</guid>
</item>
<item>
<title>Optimising for Text Mode</title>
<link>gemini://libreserver.org/blog/optimising-for-text-mode.gmi</link>
<description><p>I've been improving the text mode browser experience of <a href="https://libreserver.org/epicyon">Epicyon</a> to remove clutter, fix bugs with creating new posts and work around limitations of the Lynx user interface.</p>
<p>&quot;But Mr Bob&quot;, you may ask, &quot;why in 2022 should anyone give a flying foobar about text mode browsing? Didn't that end in the pre-Cambrian era of the internet?&quot;</p>
<p>Some people may use text mode browsers for accessibility reasons, but I suspect that most uses of that variety now happens via more mainstream browsers with special plugins installed. But I still have a working and more than decade old netbook, which has a good keyboard and is retrofitted with an SSD and Atheros wifi card, and maxed out to 2GB of RAM. Trying to run the latest Firefox on it is like swimming through a tar pit, but anything done within a command shell is at least as fast as when this machine was new, and possibly faster due to the SSD. This allows me to keep running and getting use out of hardware which most people would consider to be beyond obsolete.</p></description>
<pubDate>Wed, 13 Jul 2022 19:09:18 +0100</pubDate>
<guid isPermaLink="false">17396a3309422d77bea9ef77e3b8c100</guid>
</item>
<item>
<title>Some energy considerations</title>
<link>gemini://libreserver.org/blog/some-energy-considerations.gmi</link>
<description><p>With the so-called &quot;cost of living crisis&quot; and with energy prices rising I have been checking the energy use of various computers and gadgets in my vicinity. Even before the current crisis there was talk of the rising energy use of computers and that this may be unsustainable in the long run.</p>
<p>What my own domestic electrical testing tells me is that the computers I'm using consume very little electricity compared to the common appliances, such as lights, kettle and oven. Even doing a rough back-of-the-envelope equivalency calculation, a single boiling of a kettle for one or two minutes is approximately equivalent to a high specification gaming PC with a giant graphics card running continuously at 100% CPU utilization for multiple days.</p>
<p>So the energy unsustainability of computing seems to be primarily coming not for ordinary domestic use of computers but from cloud computing in data centers and/or cryptocurrency mining. Energy used by data centers appears to be included within estimates for the energy cost of tablets and IoT devices.</p>
<p>So when it comes to energy saving the things to focus on are the <em>boring tech</em> of lights and kitchen appliances. Especially any sort of heating appliance. Trying to save a few watts on computers won't make much of a reduction in electricity bills.</p></description>
<pubDate>Sun, 03 Jul 2022 22:13:14 +0100</pubDate>
<guid isPermaLink="false">e518d58e8345e13274655f60410734f8</guid>
</item>
<item>
<title>Gemini Returns</title>
<link>gemini://libreserver.org/blog/gemini-returns.gmi</link>
<description><img src="https://blog.libreserver.org/bl-content/uploads/moar.png" alt="Screenshot of the Leo gemini client showing the MOAR recipes archive">
<p>The gemini app had been removed from the onion version of <a href="https://libreserver.org">LibreServer</a>, not because the server side didn't work but because I couldn't find any gemini clients which were capable of running over Tor.</p>
<p>But recently I found a client which does work through a Tor proxy, called Leo. It needed some bug fixes and command aliases to make navigating easier and this <a href="https://github.com/bashrc2/leo">modified version</a> has now been included within the LibreServer gemini app. So gemini is now back in the onion version again.</p>
<p>I doubt that the <a href="https://gemini.circumlunar.space">gemini protocol</a> will take over the world, but it has its niche as a simple &quot;no frills&quot; online documents system which is much easier to learn than HTML. Because it's so simple and because it also has transport security it's likely to be a lot more difficult for adversaries to attack. The small size in terms of lines of code also makes it suitable for use in education, since you can read the entire codebase in a small amount of time.</p></description>
<pubDate>Fri, 17 Jun 2022 22:57:38 +0100</pubDate>
<guid isPermaLink="false">e95bd811536c91fd6c56c2f8e4f7e828</guid>
</item>
<item>
<title>Thoughts on Web5</title>
<link>gemini://libreserver.org/blog/thoughts-on-web5.gmi</link>
<description><p>Assigning very hazily defined versions to the world wide web seems to be the current fashion. Recently there has been the <a href="https://developer.tbd.website/projects/web5">Web5 proposal</a> emerging from Jack Dorsey et al, formerly also known as project BlueSky.</p>
<p>The portable identity problem which Web5 is aiming to solve is a valid concern. It's similar to the problem of nomadic identity in the fediverse. Ideally, your social network identity wouldn't be strongly anchored to a particular domain name, so that you could then easily migrate between instances. Easy migration would help to reduce &quot;dreadnought&quot; syndrome where there is one infeasibly massive, expensive to run, and hard to moderate instance creating a sort of <em>black hole network effect</em> within an otherwise decentralized architecture.</p>
<p>The architecture proposed by Web5 is similar to that of the <a href="https://solidproject.org">Solid project</a>. You have a database containing your documents and a permissions system whereby other internet systems can be given access to your data. If you are familiar with self-hosting then this is like a sort of home server but virtualized in the cloud.</p>
<p>In the abstract the Solid or Web5 design is reasonable. Any step away from centralized silos and lock-in effects is going to be beneficial for users. But with software the devil is always in the details, and the details of Web5 are...not all that great.</p>
<p>My biggest criticism of both Solid and Web5 is that the identity system is based upon Decentralized IDs (DIDs), which are overwhelmingly based on blockchain. Web5 is specifically proposing that identity be based on the oldest and dirtiest blockchain technology: Bitcoin. There are many problems with blockchain systems. They are slow, require global consensus and so are logically centralized, and use up gigantic amounts of electricity. Blockchain mining is so expensive that over the last decade it has become highly centralized. The inefficiency is also concealed from the end user in that it happens &quot;somewhere out there&quot; and becomes someone else's problem rather than directly on your phone or laptop.</p>
<p>If there is a solution to the identity problem then it needs to be lightweight and genuinely decentralized, not requiring proof-of-work or proof-of-stake somewhere in the background. Blockchain stuff is really a fake decentralization, cloaked by mathematical complexity.</p>
<p>But the fact that the internet has an identity dilemma is undeniable, and needing to create a separate account on every website is a high friction user experience. At present using a password manager seems to be the best solution, and maybe that will be surpassed by hardware tokens in the next few years. So a good version of Web5 would use something like hardware tokens for identity, and those are then able to encrypt/decrypt your data store, which could exist in multiple places and be automatically synced, like nomadic accounts on different instances in the fediverse. No blockchains would be needed.</p></description>
<pubDate>Mon, 13 Jun 2022 09:32:34 +0100</pubDate>
<guid isPermaLink="false">0bd75f095a24d61df597e26e33755841</guid>
</item>
<item>
<title>Tabbed Browsing</title>
<link>gemini://libreserver.org/blog/tabbed-browsing.gmi</link>
<description><p>Browsing around just by using the <strong>Tab</strong> and <strong>Enter</strong> keys was always possible in <a href="https://libreserver.org/epicyon">Epicyon</a>, but the tab sequence didn't make much sense and it was more a case of <em>&quot;hit tab and hope for the best&quot;</em>. Also on some screens tab position highlighting was missing.</p>
<p>Now tabbed browsing has been improved so that the sequence is more logical and this style of navigation should be more practical. Missing <a href="https://en.wikipedia.org/wiki/Access_key">access keys</a> have also been connected to the user interface so that for example you can immediately create a new post using a particular key combination (shift+alt+n).</p>
<p>The access keys are all customisable, and if you can remember them and are using a laptop or desktop then operating Epicyon can be significantly faster than dragging a mouse around. This system is also sufficiently lightweight that provided that your internet bandwidth is good then moving between screens is comparably fast to using a native app.</p></description>
<pubDate>Wed, 25 May 2022 21:16:49 +0100</pubDate>
<guid isPermaLink="false">3ba53f0154e9cca38631045b2a47ca3e</guid>
</item>
<item>
<title>LibreServer on Raspberry Pi 64 bit</title>
<link>gemini://libreserver.org/blog/libreserver-of-raspberry-pi-64-bit.gmi</link>
<description><p>There is now an official 64bit version of Raspbian, and so a new <a href="https://libreserver.org">LibreServer</a> image has been made which is based on that. In theory this should have better performance on the hardware, and I've seen various claims about that. But often performance benchmarks are heavily based around graphics, and on a server graphics aren't used, so the actual performance improvement might be quite modest.</p>
<p>Even so, if you're on a tight energy budget or running on solar then every saved electron counts.</p>
<p>In the process of making the new image there have been a few bug fixes, and I noticed that the way in which the system was detecting whether it was a Raspberry Pi or not needed to change.</p>
<p>You can get the new image <a href="https://libreserver.org/downloads/libreserver-raspbian.zip">here</a>, or there is also a <a href="https://libreserver.org/downloads/torrents.txt">magnet link</a> for torrenting.</p></description>
<pubDate>Fri, 13 May 2022 19:33:01 +0100</pubDate>
<guid isPermaLink="false">a2edc9ad9e25001579837d173e9bc687</guid>
</item>
<item>
<title>Epicyon development, April 2022</title>
<link>gemini://libreserver.org/blog/epicyon-development-april-2022.gmi</link>
<description><p>This blog has been quiet recently, but of course development on <a href="https://libreserver.org/epicyon">Epicyon</a> is continuing. Some things recently added are:</p>
<ul>
<li>Support for iCard on the profile page. So you can download a file and import it into an email client. Hence it becomes easier for other people to use you as a contact within their systems.</li>
<li>Support for iCal and CalDav. The calendar is now also a CalDav server. More remains to be done on this to integrate the desktop client with the calendar. Since these are also open standards it makes it easier for other systems to integrate with a fediverse server.</li>
<li>Improved support for languages. Korean and Polish languages have been added, and when creating a new post it's now possible to specify the language that you're writing within. That then allows language preferences to work correctly for anyone who is following you. This should help in situations where you are posting in more than one language on the same account.</li>
<li>Support for Jami has been deprecated. This is because it's usernames require the use of Etherium. When Etherium no longer uses proof-of-work then this change could be reversed, but until that time I don't consider it to be a good idea to promote systems which deliberately waste electricity.</li>
<li>Improved support for onion addresses and I2P. If onion or I2P addresses are specified as options when running the daemon then separate sessions are created for those. This means that you can have the responsiveness of the clearnet and yet also be compatible with onion addresses. On the onion side, onion-only Epicyon instances only ever need to interact within the onionspace because to them your ordinarily clearnet instance looks like just another onion one.</li>
<li>Support for more commonly used emoji.</li>
<li>Opt-in content warning lists for satire sites and Russian state media sites.</li>
<li>Improved user experience when replying to unlisted posts. The scope will default to unlisted, rather than followers.</li>
<li>Improved support for Cyrillic alphabet hashtags.</li>
<li>Added screens to show who liked or boosted/announced a post.</li>
</ul></description>
<pubDate>Mon, 18 Apr 2022 17:01:27 +0100</pubDate>
<guid isPermaLink="false">91a6b484ec4a4fb0e9da8fdcfc43732d</guid>
</item>
<item>
<title>Epicyon version 1.3.0</title>
<link>gemini://libreserver.org/blog/epicyon-version-1-3-0.gmi</link>
<description><p>It has been about a year since the last official release, so it's time for a new one. <a href="https://libreserver.org/epicyon/v1_3_0.html">Version 1.3.0 of Epicyon</a> is now out. There have been many changes over the last year, and I expect that the pace will slow down in future and that I'll being doing more things in the category of &quot;polish&quot;.</p>
<p>In <a href="https://www.patreon.com/file?h=61911077&amp;i=9954891">Mastodon's annual report</a> they say they're going to be focussing on groups and end-to-end cryptography during this year, so I expect to be including whatever changes are needed to stay compatible.</p>
<p>A couple of recent changes have been support for using a dyslexic font and improvement of the way that the nodeinfo site metadata works. Access to nodeinfo now requires a referer domain which corresponds to a working website. The referer domain should either be contained in a Referer header, or within the user agent. I've recently noticed that there appears to be some amount of abuse of nodeinfo going on, so that's why I've been tightening things up. Probably things are going to become more adversarial in future, so it's better to deal with issues before they become acute.</p>
<p>If you aren't already in the fediverse then now is a good time to join. The big commercial social networks are only going to become more hostile.</p></description>
<pubDate>Thu, 03 Feb 2022 19:11:52 +0000</pubDate>
<guid isPermaLink="false">d20743e3943e5343c005c6cf7bf08102</guid>
</item>
<item>
<title>Improving the podcast listening experience</title>
<link>gemini://libreserver.org/blog/improving-the-podcast-listening-experience.gmi</link>
<description><p>Previously if you added a podcast feed to the newswire within <a href="https://libreserver.org/epicyon">Epicyon</a> episodes would appear in the right column as links back to the original site. This is fine for most purposes, but it has to be admitted that especially on many podcast websites <em>the user experience is absolute garbage</em>. That means that you may need to search around hunting for an mp3 link or enabling javascript so that you can have a struggle session with some archaic embedded audio player which hasn't been updated for years. Often the bespoke embedded players are broken or just not accessible.</p>
<p>But now Epicyon does a better job of handling podcasts. Podcast episodes in the newswire now link to a podcast screen which includes the web browser's built-in audio player, a direct link to the audio and any relevant hashtags.</p>
<img src="https://blog.libreserver.org/bl-content/uploads/podcast.jpg" alt="Epicyon podcast screen showing 2600 podcast with hashtags and player">
<p>This removes a lot of the inconsistency and guesswork when playing podcasts, and should make for a better user experience.</p>
<p>The reason why many podcast sites are such trash has a lot to do with the now familiar reasons of getting people to click on ads and be tracked everywhere they go around the web. Really on the open web we ought to be aiming for something better than trash, which actually serves the user's interests first and foremost.</p></description>
<pubDate>Thu, 13 Jan 2022 17:09:33 +0000</pubDate>
<guid isPermaLink="false">3a142800949e79e78478df90eb531cd8</guid>
</item>
<item>
<title>Destination Libre</title>
<link>gemini://libreserver.org/blog/destination-libre.gmi</link>
<description><p>Last year with the Bullseye release of <a href="https://libreserver.org">LibreServer</a> I made a version of Debian for the Raspberry Pi version 4. But that was really a stopgap measure, and now that there is an official Raspbian version based on Bullseye I've switched over to using that instead.</p>
<p>The Raspbian version is now available <a href="https://libreserver.org/downloads">in the downloads</a> or as a <a href="https://libreserver.org/downloads/torrents.txt">torrent</a>. It's <em>Raspbian Lite</em> with a couple of scripts added to initiate the LibreServer install when you log in via ssh. The same image is suitable both for the standard and onion version. <a href="https://libreserver.org/installation.html">See here</a> for installation details.</p>
<h3>2022: the year when people run servers</h3>
<p>In the news recently is Moxie Marlinspike, <a href="https://moxie.org/2022/01/07/web3-first-impressions.html">saying that nobody will run servers</a>. According to him, not even nerds want to run their own servers. But anyone reading this probably already knows that this isn't true. There is more interest in running personal servers now than there was five or ten years ago, and LibreServer is just one of a number of ways that you can do it.</p>
<p>The social dynamics of the internet at this point seem quite clear. Either you join the independent open web and maybe try running a server or joining one run by someone you know, or you will have the boot of BigTech on your neck for the rest of your life. For some people with a lot of personal leverage in the system maybe the boot will not come down so hard, but for most of us a life under repression should not be the path that we choose.</p>
<p>Moxie is however correct that Web3 is garbage. Web3 is not really all that different from the one brought to you by Zuck &amp; co. It's a mirage of decentralization. Real independence means being able to do your own thing without being trapped inside of a very expensive global consensus mechanism.</p></description>
<pubDate>Sun, 09 Jan 2022 12:23:35 +0000</pubDate>
<guid isPermaLink="false">e5442709a0f28485273892e492dab02f</guid>
</item>
<item>
<title>2021 in review</title>
<link>gemini://libreserver.org/blog/2021-in-review.gmi</link>
<description><p>Whereas 2020 dragged, 2021 went in a flash. Mainly I have been working on the <a href="https://libreserver.org/epicyon">Epicyon</a> project, with some amount of development on other software including the Bullseye release of LibreServer.</p>
<p>Epicyon is now quite mature. There remains a problem with federating avatar images to Mastodon, but that seems to be related to Content Delivery Networks and so I'm not sure that there's anything that can be done about it.</p>
<p>LibreServer development is quite pedestrian now and with the release this year I have tried to simplify the deployment, rather than trying to support lots of single board computers. My opinion now is that self-hosting has a part in the future of the internet, but that it's not likely to become mainstream in the near future and I assume it will remain a fringe activity.</p>
<p>I've also updated some of the environmental projects - Tempgraph and CCG - to use Python instead of C++. The data formats have been changing, and supporting those changes in C++ was going to be complicated, so rewriting those things in Python will make keeping up with any future similar changes a lot easier. Overall the environmental situation looks bleak, and nothing that has been done so far - the fancy political conferences, and so on - has moved the trends at all.</p>
<p>In terms of ideas about the internet, the rest of the world seems to have caught up with where I was a decade ago. Back then I had the FreedomBox-like opinion that the internet was becoming too centralized and that taking back ownership of your data from disparate silos was a good idea. Back then the concept of running your own email server or web server was considered to be an act of sheer lunacy. <em>&quot;Leave it to Google. They're the experts&quot;</em> was the typical attitude. Today skepticism towards big tech companies is quite normal.</p>
<p>Also this year I was indefinitely suspended from Twitter. The only reason given was &quot;suspicious activity&quot;, and at first I thought it had something to do with a browser version upgrade, but after a while it became evident that wasn't the case. I didn't do much on that site other than posting music links, make occasional project announcements and read the news. Also the timing of the suspension coincided with the LibreServer Bullseye release, so make of that what you will.</p>
<p>So now other than very rare checking of Facebook I don't have much involvement with mainstream social media, and primarily exist on &quot;the open web&quot;. YouTube is about as close as I get to the BigTech systems. The internet is always changing, and one thing I've noticed recently is a revival of interest in the very old idea of webrings. No Googling involved, just lists of related sites and then manually surf around to see what you can find.</p>
<p>Another internet trend which became obvious this year is the ideological split between those for and against cryptocurrencies and blockchain based systems. I tend to think of cryptocurrency as a failed project, which never succeeded in disintermediating the banking system. If you look at how those technologies are used now it's primarily to benefit bankers and other ultra-rich individuals via currency speculation at exchanges or via NFT scams.</p>
<p>Where things will go in 2022 is anyone's guess. I don't have any dazzling predictions. At least life isn't predictable. The last few years and in fact the last decade has felt like lurching from one gut-wrenching crisis to the next.</p></description>
<pubDate>Fri, 24 Dec 2021 23:06:45 +0000</pubDate>
<guid isPermaLink="false">af423ff1e037e9dc7f3d113ba19b1a2e</guid>
</item>
<item>
<title>LibreServer Bullseye release 1</title>
<link>gemini://libreserver.org/blog/libreserver-bullseye-release-1.gmi</link>
<description><img src="https://blog.libreserver.org/bl-content/uploads/logo_0.png" alt="LibreServer logo">
<p>With this initial release for Debian Bullseye the Freedombone project changes to a new domain with a new name: LibreServer at <a href="https://libreserver.org">libreserver.org</a>. Although the name has changed the goal remains substantially the same - to make it easier to self-host internet services on low cost hardware that you personally own and control. It's about having some place on the internet which is genuinely yours, and where Google or Facebook are not acting as gatekeepers or bridge trolls. Getting back to the idea of the internet as a network of peers with a better balance of power.</p>
<h2>Changes in this release</h2>
<p>The most important changes are as follows:</p>
<ul>
<li>
<p>More sensible versioning: <em>LibreServer [Debian version] release [integer number]</em></p>
</li>
<li>
<p>The autonomous mesh version has been dropped. Originally it was hoped that the mesh version would use substantially the same functions as the home server version, but it didn't work out that way. Removing the mesh version simplifies things and keeps the project scope more focused. If there's enough interest then the autonomous mesh could be restarted as its own separate project. There is also some overlap with the Community Networks settings, so some mesh-like capabilities will still exist.</p>
</li>
<li>
<p>The Zot based apps have been replaced by <a href="https://codeberg.org/zot/roadhouse">Roadhouse</a>, which still has nomadic identity but is more oriented towards using the ActivityPub protocol, which has been growing in popularity.</p>
</li>
<li>
<p>There is now support for running on Raspberry Pi (version 4). The Raspberry Pi is not an ideal platform because it requires some closed non-libre boot files, but it is cheap and ubiquitous. Plus it may be possible to obtain this hardware relatively anonymously with cash in a shop.</p>
</li>
<li>
<p>Some apps have been deprecated, either because they required proprietary databases or are no longer supported because they didn't upgrade from Python 2 to version 3.</p>
</li>
<li>
<p>The SearX search and RSS feature within the web admin has been deprecated. This is another simplifying decision which keeps the project easier to maintain.</p>
</li>
<li>
<p>The initial installation method requires connecting via SSH. Whereas in the last version of Freedombone I was aiming for mainstream adoption I now concede that this was an unrealistic expectation given the current condition of the internet (issues with NAT, locked down routers, increasingly hostile ISPs, etc). The initial SSH setup presumes that the user is a techy or someone with enough motivation to learn the basics of networking. Doing it this way makes the setup more reliable, and if things go wrong it will be more obvious with a better chance of being able to debug problems. Detractors will say &quot;this is just freedom for techies and serfdom for everyone else&quot;, but you've got to start somewhere and also retaining independent tech skills at the local level is important. If you outsource skills to centralized organizations then you also cede power.</p>
</li>
<li>
<p>For the IRC app, <a href="https://gitlab.com/bashrc2/miniircd">miniircd</a> replaces ngirc. More compact and security hardened, with better moderation capability.</p>
</li>
</ul>
<img src="https://blog.libreserver.org/bl-content/uploads/libreserver_webui_mobile.jpg" alt="Web admin menu">
<h2>Changing strategy</h2>
<blockquote>
<p><em>“What we have is tech that subordinates human needs to corporate power. You could call that dystopian if you like, but maybe it’s something worse”</em> - McKenzie Wark </p>
</blockquote>
<p>Back in 2010 the idea was that anyone with a plug server and a suitably configured Debian stack would be able to have independent communications, flipping the table on Facebook. More than a decade later time has proven that the problem is a tougher one to crack than initial expectations implied. There is now more interest in self-hosting, and more people are doing it, but getting to the point of mass adoption has proven to be elusive mostly due to infrastructural and education hurdles.</p>
<p>This doesn't mean that self-hosting is no longer relevant, but that it is a limited tool. A tactic rather than a panacea. Other complementary initiatives will be required in order to get to a place where networks are no longer monopoly controlled. As indicated in the last release, community networks like Guifinet or NYC Mesh in which the last mile is owned by the people who use it may be an important step. Combine that with open hardware designs and some of the barriers to self-hosting would begin to fall. But this could be a long term struggle throughout the first half of this century, and success is by no means guaranteed.</p>
<p>The alternative to community run networks and services is what we have now, but worse: a world of total surveillance, artificial scarcity and information lockdown. <em>If this is a world we do not want then we ought to be doing something about it.</em> Complaining from the sidelines about the latest BigTech abuses or lobbying slimy politicians is not enough. One way or another, you need to become active.</p>
<h2>How to install</h2>
<p>Installation instructions <a href="https://libreserver.org/installation.html">can be found here</a>. You will need a Raspberry Pi 4 or any x86 machine, such as an old laptop. If you're not installing the onion version then you will need to own a domain name and have a Dynamic DNS account somewhere or an equivalent VPN setup.</p>
<p>At the present time Armbian doesn't have official builds for Debian 11, but once that occurs installing on a single board computer running Armbian will be a viable option also.</p></description>
<pubDate>Wed, 25 Aug 2021 10:33:46 +0100</pubDate>
<guid isPermaLink="false">7633665faf5f45d781f6a34918195ec7</guid>
</item>
<item>
<title>Federated Economy</title>
<link>gemini://libreserver.org/blog/federated-economy.gmi</link>
<description><p>The system for sharing stuff - which typically means physical objects like gardening tools, but could also include services like mesh antenna installation or dog walking - within <a href="https://libreserver.org/epicyon">Epicyon</a> has been modified.</p>
<p>Up until recently this had been a feature limited to the instance. If I had implemented it within ActivityPub then I feared that, like email, this would quickly become yet another way to push spam into inboxes across the federation. But now I've thought of a different way to do it, where the data is pulled from the server (like RSS) rather than pushed (like ActivityPub, or chat messengers). If you're pulling data from a server and it contains spam then you can always just decide to defederate from receiving shared items from the spam server. Pulling also keeps the producer or sharer in control of where their data is being accessed, whereas pushed public ActivityPub posts may be relayed in all directions and can end up anywhere.</p>
<p>Each Epicyon instance now has a catalog of shared items in <a href="https://www.datafoodconsortium.org/en">Data Food Consortium</a> json-ld format, which can be accessed either with basic auth or with the presentation of the appropriate object capabilities token. Whenever ActivityPub posts are sent to followers the shared items token is also sent as a header and in addition to the token an instance pulling the data must be on the shared items federation list defined by the admin. The shared items catalogs for consenting instances are occasionally synchronized in the background.</p>
<p>There is also now a wanted items section, which federates in the same way as for shared items. So you have both supply and demand represented - the minimum ingredients needed for an economy.</p>
<p>Imagine if Craigslist was invented in 2021, instead of 1995. I think it would be something like this. Unlike Craigslist or Ebay though this isn't an open market. It's a strictly opt-in consent based sharing system, comparable to a mutual aid system or gift economy between people who have already established a level of trust. The economic arising from the social.</p>
<p>And before anyone asks, <em>no I do not have any intention of supporting cryptocurrencies</em>. This is mostly for bartering or gifting, in an era where money is almost an extinct species from a dimly remembered past.</p>
<p>At the bottom of the left column there is also a link to the shares catalog which can be downloaded in CSV format. This makes it easy to get your collective inventory of things into a spreadsheet.</p></description>
<pubDate>Tue, 10 Aug 2021 14:06:37 +0100</pubDate>
<guid isPermaLink="false">493e4f3f36c51006dec49cd14ba5c97e</guid>
</item>
<item>
<title>Redoing IRC</title>
<link>gemini://libreserver.org/blog/redoing-irc.gmi</link>
<description><p>With Freenode melting down under an aristocratic dictatorship this was a reminder to revisit the IRC app which is going to exist within the next version of Freedombone. I had already switched from <a href="https://ngircd.barton.de">ngircd</a> to miniircd, but miniircd as it previously existed was extremely basic in its functionality. Since it's written in Python and easy to hack on, I've implemented many of the IRC protocol features related to creating accounts and doing moderation. My <a href="https://gitlab.com/bashrc2/miniircd">forked version</a> is on Gitlab.</p>
<p>With moderation features in place the implementation of IRC on Freedombone can be made pretty secure, such that it remains under the control of server members. IRC accounts are generated automatically based on the Freedombone web admin members section, and the IRC server is configured by default such that only members are permitted to send messages and join or create channels. If you need to allow extra people onto your server then you can use the NEWREG command to define a number of new registrations permitted. The whole thing also runs in a chroot with limited privileges.</p>
<p>In 2021, you may well ask, why even have an IRC app at all? Isn't IRC an outdated relic from a bygone era?</p>
<p>It depends who you ask. IRC still seems to play a role in the development of many well known Free Software projects, and it does have the advantage of being able to run well on extremely minimal hardware, such as <a href="https://www.armbian.com/orange-pi-zero">Orange Pi Zero</a>. The minimal requirements means that it should not be very difficult to run your own IRC server and avoid having your fate - or that of your project - decided through corporate shenanigans.</p></description>
<pubDate>Wed, 26 May 2021 13:38:08 +0100</pubDate>
<guid isPermaLink="false">303ca408e688cdfcce6a162d465669f2</guid>
</item>
<item>
<title>Keyboard Shortcuts</title>
<link>gemini://libreserver.org/blog/keyboard-shortcuts.gmi</link>
<description><p>If you're using a browser like Lynx then <a href="https://epicyon.net">Epicyon</a> is already quite straightforward to operate via a keyboard. But in a more conventional browser, like Firefox, it wasn't so easy to use with keyboard only. Not until now.</p>
<p>Keyboard shortcuts are now supported so that you can navigate around, make posts and search. You can also change them as needed. <em>Shift</em> + <em>Alt</em> + <em>k</em> opens the keyboard shortcuts screen, you can go to the DMs timeline with <em>Shift</em> + <em>Alt</em> + <em>d</em>, and so on. Once you know the keys then moving between timelines, calendar or search is very fast.</p>
<p>Operating web sites only with the keyboard is a minority thing, but it will be useful for some scenarios. It would also allow for the system to be operated using unconventional input devices.</p></description>
<pubDate>Sat, 24 Apr 2021 17:55:26 +0100</pubDate>
<guid isPermaLink="false">ef6e46067046dc6c1e503f13c71653ce</guid>
</item>
<item>
<title>Getting onboard</title>
<link>gemini://libreserver.org/blog/getting-onboard.gmi</link>
<description><p><a href="https://epicyon.net">Epicyon</a> now has some welcome screens which appear after you log in for the first time, and these can be used to provide any guidance to new members and make it easy for them to add an avatar image and description of themselves.</p>
<img src="https://blog.libreserver.org/bl-content/uploads/welcome.jpg" alt="Epicyon welcome screen">
<p>For someone using the system for the first time it can be non-obvious how to edit your profile, and so the welcome screens reduce that barrier. At first there will be no posts in your timeline, and so there is also help text for each of the timelines.</p>
<img src="https://blog.libreserver.org/bl-content/uploads/accountsetup.jpg" alt="Initial account setup screen">
<p>The help screen text can be theme-specific so that you can customise descriptions in accordance with the theme.</p></description>
<pubDate>Mon, 01 Mar 2021 12:24:40 +0000</pubDate>
<guid isPermaLink="false">f1d27be631b89e7572a3778498cd4db6</guid>
</item>
<item>
<title>The censorship problem</title>
<link>gemini://libreserver.org/blog/the-censorship-problem.gmi</link>
<description><img src="https://blog.libreserver.org/bl-content/uploads/censorship.png" alt="Poster about twitter censoring farmers protests in India, which included the largest strike in history">
<p>However reluctantly, Twitter is trying to clean up its act. Or at least improve its public relations. Governments may ride upon the wave of enthusiasm for removing the carnival of grotesqueness from that site. You can appeal to government departments, or inscrutable Twitter moderators, for transparency and lenience, but I don't think that approach is going to work, or even be useful as a general mode of governance. Those of us who are older know that transparency doesn't automatically lead to justice.</p>
<p>Ultimately, people have to govern their own communities and so in the longer term I doubt that Twitter and other web 2.0 silo sites whose mantra was <em>&quot;everyone in my database&quot;</em> will be able to retain their current monolithic architecture. Governance and accountability is something they're going to need to begin thinking about - even though they don't want to - and it's going to directly conflict with their business model. In a system which is more decentralized with more local governance targeted advertising is not going to work as well, and there will be higher operating costs.</p>
<p>So in the short term I think sites like Twitter will continue to struggle, and legitimate protesters like the farmers in India will continue to get censored merely because they're inconvenient to their government and Twitter is eager to placate government dictats. In the longer term I think things will become more decentralized, purely out of necessity, and there won't be one company setting a moderation policy for the whole world. In the far future the web 2.0 business model of the mid 2000s will be regarded as laughably naive.</p>
<p>But the far future is far off, and we ought to be thinking about what we can do now to begin building a better internet, free from despots, fascist thugs and troll armies.</p></description>
<pubDate>Mon, 08 Feb 2021 10:41:52 +0000</pubDate>
<guid isPermaLink="false">6a8ffda1565f2103c5f7bb6ccf4dbc8e</guid>
</item>
<item>
<title>Cryptography matters</title>
<link>gemini://libreserver.org/blog/cryptography-matters.gmi</link>
<description><p><a href="https://epicyon.net">Epicyon</a> now uses the <a href="https://packages.debian.org/bullseye/python3-cryptography">python3-cryptography</a> library for its http and jsonLD signatures. I did a side by side test of <strong>httpsig.py</strong> using either <em>pycryptodome</em> or <em>python3-cryptography</em>, and the latter turned out to be about 18 times faster. This made the switch-over into an easy decision, and it will help with running the system on low power single board computers, since the signature checks are the most computationally demanding aspect. Every time a post arrives in your inbox its signature gets checked to verify that it was really sent by its claimed author, so if you are following a few people and that's happening regularly then this adds up to a lot of cryptographic operations.</p>
<p><em>Side note: Cryptographic signature checking ensures that <a href="https://en.wikipedia.org/wiki/ActivityPub">ActivityPub</a> does not suffer from the <a href="https://en.wikipedia.org/wiki/Email_spoofing">spoofing problems</a> which bedevilled email and other forms of unverified communications in previous decades.</em></p>
<p>Why is there such a speed difference? In <em>pycryptodome</em> the <a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA algorithm</a> is implemented in Python. in <em>python3-cryptography</em> those operations are really just a wrapper around <a href="https://en.wikipedia.org/wiki/OpenSSL">OpenSSL</a>, which is written in C and assembly. The lower level languages are closer to the metal and tend to be a lot faster because there are fewer layers of abstraction.</p>
<p>There is also an added benefit that this reduces overall complexity and <a href="https://en.wikipedia.org/wiki/Attack_surface">attack surface</a>. Most web servers will already be using OpenSSL anyway, so dropping <em>pycryptodome</em> means one less set of cryptographic code implementation. OpenSSL is also so critical to the overall functioning of the internet that if there are any bugs they're likely to get fixed fairly quickly. There was the <a href="https://en.wikipedia.org/wiki/Heartbleed">heartbleed incident</a> some years ago, but since then the project has received more support and a lot of former problems have been cleaned up.</p>
<p>So if you are already running an instance of Epicyon then make sure that you have <em>python3-cryptography</em> installed before doing an upgrade. On <a href="https://libreserver.org">Freedombone</a> that is all handled automatically.</p></description>
<pubDate>Fri, 05 Feb 2021 09:52:38 +0000</pubDate>
<guid isPermaLink="false">8634c1676b3485208b8276d4e75c6d90</guid>
</item>
<item>
<title>Tackling the Ecosystem of Badness</title>
<link>gemini://libreserver.org/blog/tackling-the-ecosystem-of-badness.gmi</link>
<description><p>One problem which I wanted to avoid in <a href="https://epicyon.net">Epicyon</a> is what I call <em>the ecosystem of badness</em>. With other web apps - like Wordpress for example - you can also have themes which can be made independently. But if themes can include arbitrary CSS and Javascript then this means it's possible to create themes which exfiltrate data or attack users, and a <a href="https://en.wikipedia.org/wiki/Black_market">black market</a> then develops around such themes, which is comparable to the market for zero day exploits and other <em>&quot;cyberweapons&quot;</em>. In the presence of such threats, projects then usually create an official store or approved site for downloading themes, and once again you start to get gatekeeping and centralization. Points of control.</p>
<p>So to avoid that whenever a theme with custom CSS is activated in Epicyon it first has to go through a santization step, which removes or blocks javascript, nested style sheets with off-site links and other common malware vectors. This might limit the range of creativity to some extent, but I think the tradeoff is worth it. A lot of subsequent pain and drama can be avoided if you but some thought into the initial design, given the long history of how web apps have previously been weaponized.</p>
<p>Using one main set of CSS files which are then modified for each theme by changing the variables is also a strategy to avoid <em>the ecosystem of badness</em>. It also helps to keep maintenance to a minimum, since it avoids needing to maintain a separate set of CSS files for every theme.</p>
<p>Of course, since this is Free Software it's possible to easily remove the sanitization step from the code. But doing that probably means needing to fork the codebase, and this then makes bad actors easier to expose. For instance, you might see a fork with a single commit removing a few lines, and you'll then know that sites using that repo might be up to no good.</p></description>
<pubDate>Fri, 29 Jan 2021 09:38:34 +0000</pubDate>
<guid isPermaLink="false">25999366de9ebac16466dc31be265aaf</guid>
</item>
<item>
<title>Epicyon version 1.2.0 release</title>
<link>gemini://libreserver.org/blog/epicyon-version-1-2-0-release.gmi</link>
<description><img src="https://blog.libreserver.org/bl-content/uploads/dog.jpg" alt="Illustration of a dog">
<p>After many months of relentless keyboard bashing, <a href="https://epicyon.net">Epicyon</a> ActivityPub server version 1.2.0 is released. The main changes from the last version are:</p>
<p><strong>News integration</strong></p>
<p>This adds the ability to subscribe to RSS feeds and have them appear in a column on the right hand side of the screen. There is a publish button at the top of the right column which enables you to write a blog, with the ability to cite news items from your RSS feeds. Other Epicyon instances or RSS apps can subscribe to your blog feed or your news feed.</p>
<p>For additional resilience, you can also mirror the content from RSS feeds to your own site so that if the original source server goes down the articles will still be readable.</p>
<p><strong>Links column</strong></p>
<p>This uses the left column in a similar manner to a blogroll. You can add any links which you or other people on your instance may find useful. You can also add headers in order to group links under a topic.</p>
<p>The news and links columns and the way they behave are roughly inspired by the current <a href="https://conf.tube/videos/embed/953de898-74dc-4665-95fb-313042f66cc6">Indymedia reboot design</a> and based on the principles of the <a href="https://www.nadir.org/nadir/initiativ/agp/free/pga/hallm.htm">PGA hallmarks</a>.</p>
<p><strong>Hashtag categories</strong></p>
<p>If you are following many other people in the fediverse and they often use hashtags, then the hashtag swarm on the search page can get rather busy. To tame the hashtag chaos they can now be categorized into groups. When you select a hashtag from the swarm you can set a category at the top of the screen, and if you do this occasionally then over time you'll have more orderly groupings. To help with this process hashtag categories are also published as an RSS feed at the top of the right column, and other Epicyon instances can then add it to their followed feeds list along with the news feeds. Hence you can either have categories unique to your instance, or you can bootstrap the process through collective organization.</p>
<p><strong>Safer defaults</strong></p>
<p>The system now defaults to what in Mastodon is known as a &quot;locked account&quot;, so that others will need to get your permission to follow you and also you will only receive direct messages from people that you're following. This helps to improve the default user experience because it means that random spammers/trolls in the fediverse can't immediately begin sending you their latest offers or outrage-inducing hot takes.</p>
<p><strong>Improved tools for moderators</strong></p>
<p>If you suspect that a particular account might be a problem - whether it's on your own instance or not - then you can use the info button on the person options screen or the moderator screen to get a quick overview of what instances they're talking to and whether any of those are blocked.</p>
<p><strong>Petnames</strong></p>
<p>At last, you can now assign petnames to people that you're following. This helps especially if they are on onion or i2p addresses which are otherwise not human readable.</p>
<p><strong>No replies option</strong></p>
<p>There can be times when you just want to make a statement and don't want any replies. There is now the option to do this when creating a new post.</p>
<p><strong>Custom themes</strong></p>
<p>Creating customized themes has been made considerably easier. In the previous version adding a theme required manually hacking the Python code, but now themes can be created as a set of files in a directory - similar to the way that themes are implemented by other web apps.</p>
<p><strong>Various bug fixes</strong></p>
<p>Particularly including federation of avatar images and profile information.</p>
<p><em>Epicyon 1.2.0</em> can be <a href="https://libreserver.org/downloads/epicyon_1.2.0.orig.tar.gz">downloaded here</a> with the <a href="https://libreserver.org/downloads/epicyon_1.2.0.orig.tar.gz.asc">GPG signature here</a> using <a href="https://libreserver.org/downloads/freedombone_public_key.txt">this public key</a>, or if you want the latest development code then the <a href="https://gitlab.com/bashrc2/epicyon">repo is here</a>.</p>
<p>We hope you enjoy flying Epicyon. If you find this program useful then consider supporting it <a href="https://www.patreon.com/freedombone">on Patreon</a> if you have enough financial resources to do so. Epicyon is a sub-project of the larger <a href="https://libreserver.org">Freedombone</a> self-hosting system.</p></description>
<pubDate>Tue, 26 Jan 2021 10:23:01 +0000</pubDate>
<guid isPermaLink="false">4fdb3f686198f7e75efd0aca88cf73ef</guid>
</item>
<item>
<title>Json signatures redux</title>
<link>gemini://libreserver.org/blog/json-signatures-redux.gmi</link>
<description><p>Since the last blog post I've figured out more about how the context field is used in ActivityPub posts, and support for more common context schemas has been added to <a href="https://epicyon.net">Epicyon</a>. This should improve the signature checking, so that if you enable <em>&quot;verify all signatures&quot;</em> there should be a higher percentage of passes than was the case previously. But by default I'll leave json signature checking on incoming posts off. This also saves on processing power for single board computers, since it's the cryptography which comprises most of the computational cost of running the system.</p>
<p>In the process of making the signatures work I've also generally learned more about <a href="https://en.wikipedia.org/wiki/JSON-LD">json-LD</a>. I'm not highly enthusiastic about it, because networks of schemas do potentially create brittleness and potential for <em>denial of service</em>, whereas what I'm trying to do is to increase autonomy at the individual server level and to try to make it as robust to failures as possible. For example, I can imagine situations in which the failure of a single server produces cascading failures in other servers who rely upon dereferencing remote schemas.</p>
<p>If you're not familiar with json-LD then there is some good information about it in <a href="https://conf.tube/videos/watch/81248119-5e19-4798-bc37-f2cd5ed617c7">this APconf talk</a>.</p></description>
<pubDate>Thu, 14 Jan 2021 10:04:48 +0000</pubDate>
<guid isPermaLink="false">07aefa1c358962407bdb0b1ca48d2b49</guid>
</item>
<item>
<title>More on json signatures</title>
<link>gemini://libreserver.org/blog/more-on-json-signatures.gmi</link>
<description><p>After another day of trying to get all - or at least most - json signatures to verify I'm declaring defeat. My summary is that this method of verifying ActivityPub post authenticity is too complex, too easy to mess with and under ordinary conditions also leaks IP addresses.</p>
<p>In order for a json post to be signed it first needs to be organized into a standardized form, known as &quot;normalization&quot;. That process involves downloading schemas which are defined within the <em>context</em> field of the post, and it looks like such schemas can be recursive and may also reference http-only sites which are amenable to injection attacks. So the schema that you download might not be the same as the one on the server.</p>
<p>Making your signing process depend on remote schemas effectively gives them veto power over whether you can verify incoming posts. Caching schemas gets around this, and in practice I've hardcoded the most common ones, such as the one for <em>activitystreams</em>. But even while doing that, in tests it looks like there is sufficient exoticism out there in the wild that it becomes difficult to say that you have any highly reliable way for signing posts which doesn't have all sorts of unknowable corner cases. It's not even clear that the normalization algorithm checks for circular references.</p>
<p>So at present for compatibility I'll continue using json signatures on outgoing posts, using the <em>activitystreams</em> context which has a hardcoded schema so that it's not needing to download anything from remote sites, but I'll deactivate checking of json signatures on incoming posts unless you set the administrator option <em>&quot;verify all signatures&quot;</em>.</p>
<p>I could devise an alternative post signing system which would be fully consistent and not reference any external schemas, but the main difficulty in any such endeavour is getting the requisite amount of consensus between ActivityPub server developers for it to be useful.</p></description>
<pubDate>Wed, 06 Jan 2021 10:20:16 +0000</pubDate>
<guid isPermaLink="false">1a0536e8a98b944ad882f52cb0d5ae19</guid>
</item>
<item>
<title>Fixing Signatures</title>
<link>gemini://libreserver.org/blog/fixing-signatures.gmi</link>
<description><p>I recently noticed that the json-LD signatures in <a href="https://epicyon.net">Epicyon</a> were not working as intended. Partly it was just that the unit test wasn't comprehensive enough and so wasn't catching failures, but also there were some genuine problems which have now been fixed.</p>
<p>The use of json signatures in the ActivityPub fediverse isn't universal. I notice that some instances do it and some don't. The purpose is to ensure the authenticity of posts even when they are being relayed through intermediate servers. http signatures are good for checking posts as they move from one server to another, but in a decentralized architecture similar to email in which posts may sometimes be stored and re-broadcast by various servers to ensure that they reach their destination even when individual servers may not be 100% available (think of <a href="https://en.wikipedia.org/wiki/Content_delivery_network">content delivery networks</a>) the http signatures may not be enough.</p>
<p>What happens if you don't have authenticity mechanisms like these? In that case it becomes like email in the olden days. X can send a post pretending to be Y in order to artificially incite a flame war on a rival instance, and especially in social network systems this can have devastating effects. With signature checking in place at least if bad actors try to create chaos like this then they are reliably identifiable and blockable.</p>
<p>At present in Epicyon if a post arrives and has a json signature then it will be checked and the post rejected if it fails. This isn't ideal because an adversary can simply omit the signature, but we are not yet in a situation where these sorts of checks are a mandatory part of the ActivityPub specification. I'll add a configuration option which allows json signatures to be fully enforced if you don't care about federating with instances which havn't implemented this.</p>
<p>While fixing json signatures I also noticed that the verifier was downloading schemas from any URL referenced within the context section of a post. Not only was this slow but also potentially insecure. The schemas for activitystreams and signatures are now hardcoded, which makes the checking much faster and doesn't allow a server outside of your control to potentially veto your ability to perform checks. Investigating this also lead me down the <a href="https://en.wikipedia.org/wiki/Schema.org">schema.org</a> rabbit hole, which is another Google horror and probably best left as the subject of a future blog post.</p></description>
<pubDate>Mon, 04 Jan 2021 22:29:07 +0000</pubDate>
<guid isPermaLink="false">b3d17475fc544876280e07d539809577</guid>
</item>
<item>
<title>End of the year</title>
<link>gemini://libreserver.org/blog/end-of-the-year.gmi</link>
<description><p>It's an understatement to say that 2020 has been a difficult year for everyone. Usually I am quite level-headed, but I admit that there were times in the year when I was beginning to lose my cool and go into panic mode. I seem to have survived to the end of the year though, and some amount of gardening has helped to relieve anxiety.</p>
<p>At the end of 2020 the situation in the UK remains extremely bleak. Hospitals are at breaking point and running out of resources. Back in March I expected that the government wouldn't give a damn about the lives of most ordinary people, and that indeed has turned out to be true. Their policy has remained one of &quot;herd immunity&quot; without a vaccine, and attempting to use children and students as an immunity buffer zone.</p>
<p>I've spent most of the second half of the year on Epicyon, getting it into a condition where it's usable and has a few useful features above and beyond those of other fediverse servers, such as the Indymedia-style RSS feed integration, hashtag categories, easy to install themes, being free from javascript and using only debian packages as dependencies. The less obvious re-organization of the code and more rigorous static analysis should also mean that it is easier to maintain over the long term.</p>
<p>This year there have been new Freedombone images for Raspberry Pi 4 and Odroid C4, and work will soon begin on the next release based on Debian 11 (Bullseye).</p>
<p>The prospects for self-hosting in the early 2020s are mixed. I'm increasingly noticing that some people don't have control over their internet routers - i.e. where the router is exclusively managed by the ISP - and this can make self-hosting on the clearnet impossible. So a prediction is that development may go more in the direction of systems based upon onion addresses, or purely p2p (like the Freedombone mesh). I think abandoning the clearnet should only be a last resort though, if there is no other option to run on your own hardware in your own home.</p>
<p>Unless I'm interrupted by pandemic or political chaos I expect the first half of 2021 to be spent working on the next Freedombone release. I might change strategy and just use Armbian and vanilla Debian images as a base. That would remove a lot of the complexity of image building and the dependencies of vmdebootstrap.</p></description>
<pubDate>Tue, 29 Dec 2020 16:12:55 +0000</pubDate>
<guid isPermaLink="false">1bf555b2af6c42c07f3ec58d991c5a07</guid>
</item>
<item>
<title>Improving Shared Items</title>
<link>gemini://libreserver.org/blog/improving-shared-items.gmi</link>
<description><p>The shared items system in <a href="https://epicyon.net">Epicyon</a> is a similar idea to something like <a href="https://freecycle.org">Freecycle</a>, for bartering or giving stuff away which you no longer need. You can post items and they will be listed and searchable for however many days you specify. Shared items are only accessible to other people on your instance and aren't federated. That was a deliberate design choice, because otherwise I expect that it would be primarily used to generate spam.</p>
<img src="https://blog.libreserver.org/bl-content/uploads/shares.jpg" alt="">
<p>A recent improvement is that when new items are added in order to make this a little more obvious I've modified the left column of the UI so that it shows a few of the most recent shares. Selecting one of them then generates a direct message to the person who is offering the share. The usual direct message rules apply. By default you'll only be receiving DMs from people that you follow, so that's something to keep in mind. The overall scenario is free exchange between people who have already established a trust relationship. There is also deliberately no attempt to algorithmically estimate trust scores or anything like that - the trust needs to be purely established through social interaction.</p></description>
<pubDate>Mon, 07 Dec 2020 15:15:20 +0000</pubDate>
<guid isPermaLink="false">f8fb0f8fbcef1b61acdf5846307e98a6</guid>
</item>
<item>
<title>Hashtag categories</title>
<link>gemini://libreserver.org/blog/hashtag-categories.gmi</link>
<description><p>On the search screen of <a href="https://epicyon.net">Epicyon</a> there are a list of hashtags, which you can select to see the corresponding posts. They're not exactly <em>trending</em> hashtags, just ones which have appeared within the last couple of days. Depending upon how many people you're following this can potentially be quite a large list.</p>
<p>So to make things simpler I've added the ability to categorize hashtags, which groups them under category headings. Similar to putting files into a folder in an operating system. The search screen can then show just the categories which have recently appeared, and you can then select them to see the hashtags within those categories. It simplifies the search screen, and helps to impose some order upon the chaos of hashtags.</p>
<p>Assigning categories is easy. If you select &quot;Show All&quot; on the search screen then you can see all the hashtags. At the top of the screen for each tag you'll be able to enter a category. If you do this enough then over time your hashtags will become neatly categorized.</p>
<p>Some default categories have been set up for English language, but since there are many possible ways of categorising the world you can overwrite these if you want different categories. The categories for your instance are published as an RSS feed icon in the right column, and you can subscribe to the categories of other instances by entering their feed URL in the newswire settings. This should enable allied instances to build up appropriate categories for their purposes.</p></description>
<pubDate>Sat, 05 Dec 2020 20:01:57 +0000</pubDate>
<guid isPermaLink="false">e5d14c185b570b7079d0716e63ca191a</guid>
</item>
<item>
<title>Rc3 theme</title>
<link>gemini://libreserver.org/blog/rc3-theme.gmi</link>
<description><p>Using the <a href="https://styleguide.rc3.world">official style guide</a> I've made an <a href="https://events.ccc.de/2020/09/04/rc3-remote-chaos-experience">Rc3</a> theme for the <a href="https://epicyon.net">Epicyon</a> ActivityPub server. Themes have been re-organized so that each is in its own directory, and that makes it quite straightforward to create a new theme.</p>
<img src="https://blog.libreserver.org/bl-content/uploads/epicyon_rc3.jpg" alt="Epicyon Rc3 theme timeline">
<img src="https://blog.libreserver.org/bl-content/uploads/epicyon_rc3_options.jpg" alt="Epicyon Rc3 theme person options"></description>
<pubDate>Tue, 17 Nov 2020 13:18:28 +0000</pubDate>
<guid isPermaLink="false">4874e6aa1bd1189a19e50be10cfa234e</guid>
</item>
</channel>
</rss>