<-- back to the mailing list

[users] Public Gemini hosting?

Jason McBrayer jmcbray at carcosa.net

Fri Apr 9 14:44:01 BST 2021

- - - - - - - - - - - - - - - - - - - 

Mansfield writes:

I also think that paying to sign the binaries would still *not* be
enough, right? At least, from my perspective (imagining I hadn't
written it) I would still not trust the client or server.

It's hard to say. I lean towards no... I know on proprietary OSes thatpeople do normally download and run signed binaries, and that this isthe level of trust that's normal to them. But so far, I haven'trecommended anything that's not Free Software...

Likewise, the client locks the user into using your server for
publishing. While that's certainly the easiest approach starting out,
I'd rather see an open standard for registration and publishing,
preferably using existing protocols.
Interesting perspective... I think I would have characterized it
differently, but that's OK. When you mention 'using existing
protocols', I would assume you mean SSH - is that what you were
meaning?

SSH would in some ways be the best option. It's secure, and easy for theserver admins to set up and permission. But it makes a cross-platformclient harder, particularly on Windows (no vendor-supplied scp binary,and it's known to be very hard to build libssh2 there). FTP is anoption, but it has privacy/security issues, and supporting librariesoften don't support FTPS. There's a case to be made for using HTTPS,honestly, but I'd like to avoid web platform stuff by default (i.e.,unless it's clearly the best choice).

I think, from your perspective, you're looking for something that
is... open source... and that uses a more standard approach for
registering and publishing, right?

Yes. I'm actually working In My Copious Free Time on a standard anda reference implementation for doing this, but I wouldn't expect realfast progress. It's just at the thinking and taking notes stage.

Maybe if the client were written to run in the browser?

There are actually several browser-based Gemini posting options(midnight.pub, gemlog.blue, flounder.online), but I'm interested innative apps, in the interest of fully decoupling from the WWW.

But then the server wouldn't be open... humm... though... I'm
curious... is there *any* server that is running where the code being
run can be verified? I could see someone saying, "I'm running the open
source version of FOO as the server", but they could have tweaked it
to be FOO' or something... thoughts?

Most Gemini servers are FLOSS, but yes, there's no way to verify thatthe code running on the server is exactly the public released code. Idon't see this as quite as essential as being able to trust the clientcode, because if you're hosting your documents on someone else's server,you've got to trust them to a certain extent anyway, and you're notletting someone run code on your machine, with potential access to yourdata that you haven't shared.

-- Jason McBrayer | “Strange is the night where black stars rise,jmcbray at carcosa.net | and strange moons circle through the skies, | but stranger still is lost Carcosa.” | ― Robert W. Chambers,The King in Yellow