1. 1

    Many comments are already stating it: the article doesn’t really compare editors nor shows it any strengths GNU Nano has. Okay, one can change the interface in a minimal way and someone forced Nano to highlight syntactical elements with a patch. For me it looks like OP was overwhelmed by the possibilities of Emacs and Vim and wished for something simpler with just the minimal set of features. And that’s fine!

    1. 5

      From the author:

      I’ve used both vim and emacs. I don’t like either of them, for differing reasons: modal editing doesn’t really fit my mental model of how an editor should work, and Emacs Lisp is not really a particularly fun language to use simply for customizing the behavior of an editor — as they say, Emacs is a nice operating system, it just needs a good editor.

      Doesn’t look like they were overwhelmed. They just don’t like modal editing or Lisp and Nano has the features they do care about.

    1. 4

      Neat, but I still find firefox sync nicer to use. Being able to transfer URLs without having to touch your phone is what I like the most about it.

      1. 3

        Yeah, the ability to pass pages to your device without using both devices at the same time is really handy in Firefox, Chrome, and Safari. My use case for the QR code’s is when someone else is working with me and I can’t “cast” the link to them. It’s super handy to be able to just convert it to a QR code and let them scan it. Not something I use all the time but perfect when I need it. Plus the privacy aspect is nice too.

        1. 1

          I know your not implying this is the case but your individual use case does not invalidate the utility of this feature.

          I’d imagine this would be fairly trivial to implement this feature with Tridactyl’s native messenger.

          1. 1

            I’d imagine this would be fairly trivial to implement this feature with Tridactyl’s native messenger.

            If you’re talking about generating QR codes from URLs, there wouldn’t even be a need to use the native messenger, everything could be done in the content script. In comparison, firefox-sync integration would be near impossible to implement (that’s why most issues about it are closed :( ).

        1. 9

          I appreciate that the author didn’t try to write a One True Path manifesto and instead focused on a quick demo of things they like about nano and how to set them up.

          1. 4

            This by far the scariest thing Apple will ever do. And of course it is al under the guise of “child safety” how can anyone dispute that?

            This is making me sick. To think that any arbitrary image or message you send or recieve will be scanned by Apple… I just don’t understand how they can run ads claiming to be private while scanning every iPhone user’s content.

            I will never own an iPhone, fuck Apple.

            1. 4

              To think that any arbitrary image or message you send or recieve will be scanned by Apple…

              That’s not what is happening here. Only children whose parents opt them into the Message app’s new explicit content filter have Message scanning taking place and it is taking place locally. No communication with Apple. For adult users the only scanning taking place is hash matching if you upload a picture to iCloud against a database of known illegal content.

              1. 2

                For adult users the only scanning taking place is hash matching if you upload a picture to iCloud against a database of known illegal content.

                Please tell me you aren’t defending this.

                “Known illegal content” mean CSAM right now, but will eventually become anything the government or big tech finds to be undesirable. You can’t be that naive, can you?

                This sets the stage for full blown device scans in the future and it cannot stand.

                1. 2

                  Please see my comment from yesterday for an overview of my position.

              2. 1

                To think that any arbitrary image or message you send or recieve will be scanned by Apple

                I think it’s worth asking what you mean when you say “scanned by Apple.” It sounds like you mean scanned in the cloud on Apple servers where they can read it, but that’s not the case here.

              1. 3

                I foresee lots of horny teenagers causing lots of very awkward problems.

                1. 17

                  How so? Do teenagers frequently exchange known images of child pornography that the relevant authorities have already reviewed for inclusion in this database?

                  1. 3

                    To be fair, the Messages feature doesn’t match against a list of hashes but actually does do ML to detect suspicious photos. That said, it’s only for under-13s, who are not teenagers.

                    1. 5

                      Additionally, that particular feature does not communicate with Apple at all. Only the parents or guardians on the account. So maybe an awkward conversation with a parent but Apple never gets involved.

                1. 19

                  I think the greatest concern I have is the potential for governments to pressure Apple into using the tech for other purposes since we know Apple loves them some iPhone sales. That being said though, their technical summary seems to rule out every other concern since it only scans images before uploading them, only flags matches against a known set of images, and those matches are manually reviewed. You couldn’t really fake a match unless you knew the existing dataset so it’s almost impossible that you could “SWAT” someone, and even then it would be trivial to demonstrate that the image was sent to you by someone else. Perhaps if someone had your credentials they could upload images to your account but then that was a risk long before this.

                  I don’t like the idea of this being used for other types of images, but as implemented and for the purpose given it seems like a pretty well thought-out system. I am totally fine with the pushback since it makes Apple be as transparent as possible, but I don’t like that people are making some false claims about how the tech works. I think the focus of criticism deserves to be squarely on the issue of whether Apple bends to pressure from more restrictive governments when their profits are on the line.

                  1. 3

                    and those matches are manually reviewed.

                    I hope they are prepared for the difficulty on the people reviewing. I recall reports of police officers doing this sort of work having mental health issues and not doing it for very long.

                    1. 2

                      Agreed. I have heard that the Facebook team that handles these sorts of things has extremely high turnover.

                      1. 3

                        It looks like the manual review process involves low-resolution versions of the image to protect reviewers.

                        1. 1

                          I’d be far more worried if they didn’t have high turnover.

                      2. 3

                        You couldn’t really fake a match unless you knew the existing dataset so it’s almost impossible that you could “SWAT” someone

                        This was also true of DVD private keys until it wasn’t. (This is not to negate the second part of your sentence, only the first.)

                      1. 7

                        Great news, I wonder what it means in practice.

                        Offtopic: Why not just change the ‘a11y’ tag to ‘accessibility’? It’s highly non-obvious what it means to most people.

                        1. 6

                          There’s an argument that writing “a11y” is ironically inaccessible because it isn’t obvious what it means. I don’t buy it because someone only has to tell you once and then you never wonder again.

                          I espouse the counter argument that insisting everyone write “accessibility” instead has worse accessibility because it’s a difficult word to spell. ;)

                          It’s jargon either way. :)

                          1. 3

                            Agreed on the a11y tag.

                          1. 2

                            I pre-ordered this one: https://shop.mntmn.com/products/mnt-reform-usb-keyboard-standalone which seems to have quite a few similar ideas…

                            1. 1

                              Wow, that translucent one is awfully tempting. I’ve been eyeing the laptop specifically for the keyboard and trackball combo.

                            1. 5

                              Looks really nice, clicks the right buttons… But sadly I need a split keyboard for health reasons ;-(

                              1. 11

                                May be someone could make a fork :D

                                1. 3

                                  I highly recommend gboards.ca for split keyboards, but I’ve also heard people say good things about the Moonlander (from the ErgoDox EZ folks).

                                  1. 3

                                    I’m one of those Moonlander boosters. Using it right now!

                                    But I do have a caveat: I had to relearn how to type on the ortholinear layout. My typing speed plummeted at first. I had never learned touch typing and was apparently “crossing over” for a bunch of keys like “y” and “6”. Now I’m faster than I was before and back into to realm of “think about the words” rather than “think about the fingers”.

                                    1. 1

                                      The moonlander is easily my favorite keyboard. I just bought a second one for my work desk.

                                      1. 1

                                        Would love to see a direct comparison between the moonlander and Ergodox EZ. I have a (self built) Ergodox and I’m a big fan. But I wish I could have one that is just a tad smaller with keys being a bit closer to each other.

                                        1. 2

                                          I saw this comparison video on YouTube (15 minutes, but indexed so you can skip to parts you are interested in) a few days ago and found it helpful. A friend of mine got the Moonlander and I have an Ergodox, so I hope to compare them for myself in the near future. I have loved my Ergodox and actually don’t find that the thumb clusters cause any trouble for me, so I doubt I will get a Moonlander anytime soon. I do envy the foldable wrist rests though. The ones for the Ergodox could pull double-duty as wheel chocks for a passenger plane and tend to wander away through a day of use.

                                    1. 3

                                      I run a pfSense firewall, a Univention domain controller (which handles DNS and DHCP), and a locally-hosted virtual Unifi controller that controls my Pro access point and my tiny Flex Mini switch. It has been incredibly reliable and I hardly ever need to do anything with any of the components. I could live without the domain controller now, but it has been really handy for managing logins on our family devices and works so reliably that I don’t really have a reason to decommission it.

                                      1. 4

                                        Good story, shame about the spelling mistake in the title…

                                        1. 1

                                          Agreed. At first I thought it might be a British spelling (although I’d never seen it that way anywhere), but confirmed it’s just a misspelling. It was interesting to read about his “origin” story with computing, although I feel like it confirms something that I read recently about that generation of programmers trying to recreate their early experience with the way they promote modern computing to new developers. Teaching computer science on the high school level though, it’s clear that hacking away on a Sinclair is not how the next generation of developers is going to experience technology.

                                          1. 4

                                            Could be from Kerry. Who knows how you even spell any of that? 🙃 Anyway, I’ve stuck to British spelling ever since moving there, and I’ve noticed I accidentally used “ou” instead of just “u” in a few cases as well.

                                            I started on the similar MSX (also a Z80 CPU) in the mid/late-90s; a testament how fun and useful these machines can be even when antiquated, especially for learning. When we (finally) got a Windows 98 machine I stopped programming for a few years as it was so hard to get started back then, compared to the BASIC environment that the MSX shipped with. I only picked it up again after I discovered Linux and BSD.

                                        1. 4

                                          Coming from a job where I was a systems administrator in a Windows/Linux environment to my new job in a Mac environment I miss PowerShell a lot. I want to start using it on Mac, but the experience on Windows was fantastic, especially because of the deep system integrations. And prior to that job I was “Unix all the things!” so I definitely did not anticipate becoming a PS fan.

                                          1. 7

                                            I just use NetNewsWire locally on my phone. Anything I want to read elsewhere I throw in Instapaper. I just got tired of trying to find the right combo of aggregator and client, especially since I had to use so many different platforms. Going local has really simplified the system for me.

                                            1. 2

                                              I have NNW on my phone and laptop, with similar, but not identical, subscription lists. I don’t want to bother with a third-party, so I just read most things twice (helps with retention).

                                              1. 2

                                                I have a similar setup, NetNewsWire on phone and laptop and feedly for sync

                                              1. 25

                                                When I encounter material like this I just usually skip to the distribution recommendations.

                                                Avoid distributions that freeze packages as they are often quite behind on security updates.

                                                This is a common fallacy, and they give their reasoning below, that most security issues does not get a CVE. This is only true if you believe every use-after-free, buffer underflow/overflow and C issues are inherently security issues. You might disagree but I don’t think that is the case as many lack any demonstration of being exploitable. It avoid the actual problem of CVEs and security issues (in my opinion).

                                                Use a distribution with an init system other than systemd. systemd contains a lot of unnecessary attack surface; it attempts to do far more things than necessary and goes beyond what an init system should do. An init system should not need many lines of code to function properly.

                                                This is again the same old rambling from anti-systemd enthusiast. This is only true if you consider local exploitability, but I regard this as a non-issue. You have other problems at this point. Since you can’t prevent security issues, and exploitable issues, you should seek out projects that take security issues seriously and demonstrate they can handle them, along with them actually being discovered. Remember, the amount of CVEs in a project is a sign of maturity, not insecurity. I’d be more cautious of software that is popular but has no issues. It means people are not looking.

                                                Use musl as the default C library. musl is heavily focused on minimality which results in very small attack surface whereas other C libraries such as glibc are overly complex and prone to vulnerabilities. For example, over a hundred vulnerabilities in glibc have been publicly disclosed compared to the very few in musl. While counting CVEs by itself is often an inaccurate statistic, it can sometimes be used to represent an overaching issue such as in this case. musl also has decent exploit mitigations, particularly its new hardened memory allocator.

                                                Again, I disagree with the premise and the conclusion. While the musl project is great. I don’t think these comparisons are useful and just furthers FOSS maintainers distaste of CVEs.

                                                Preferably use a distribution that utilizes LibreSSL by default rather than OpenSSL. OpenSSL contains tremendous amounts of totally unnecessary attack surface and follows poor security practices. For example, it still maintains OS/2 and VMS support — ancient operating systems that are multiple decades old. These abhorrent security practices are what led to the dreaded Heartbleed vulnerability. LibreSSL is a fork of OpenSSL by the OpenBSD team that applies superior programming practices and eradicates a lot of attack surface. Within LibreSSL’s first year, it mitigated a large number of vulnerabilities, including a few high severity ones.

                                                While again, libressl is a cool project (at best). I don’t think it serves the same purpose it did after hearthbleed. OpenSSL has gotten a ton of eyeballs and development time since then and LibreSSL breaking APIs leading to extensive patching upstream makes it hard for proper adoption. It’s also still C so “superior programming practices” is just moot.

                                                TL;DR

                                                This reads like an ode to some favorite distribution or way of living instead of giving sound advice. If you want to harden you system you should consider a few options. Exploitability and post-exploitability.

                                                Post-exploitability: If systemd does get pwned, you can still mitigate some attack vectors. This is where compilation flags are important, along with kernel hardening. If this is what you care about, please do secure your system. A lot of the notes here are good in this regard as well. This is where I believe the threat-model from QubesOS comes inn (please correct me on this).

                                                However, if you care about exploitability following this guide doesn’t give you much. You want a distribution that cares about reacting to security issues, CVEs and applying the appropriate patches. Which distributions are these? I defer to the open-wall distro embargo list usually. Distributions that has the overhead to participate has the intentions of doing the right thing.

                                                If the distro is not on this list, try look up their security team and figure out if they are organized and publish advisories. This is again a good indication they are trying to do the right thing. But it’s important to realize that security teams in volunteer run distributions can never get all of the CVEs. This can only be done by the 3 enterprise distros: RedHat, Canonical and OpenSUSE. There are collaborations between all of us, but it’s a lot of work.

                                                Disclaimer: Been contributing to the Arch Linux security team since 2017.

                                                1. 10

                                                  This article provides all sorts of advice but lacks a threat model. I don’t think its purpose is to provide one, and that’s why caution should be taken when implementing some of this. Really, a defense in depth style approach would be better: assume someone does have root via a local privilege escalation, if that’s what you’re worried about. How do you protect your assets?

                                                  No one that’s running and has to secure a large academic cluster is going to run Gentoo, for instance. They’re probably going to install RHEL. The real question is how your defense in depth works, not if and when someone inevitably pwns your systemd.

                                                  (Of course, if that’s part of your threat model, you may want to include it in your defense in depth too.)

                                                  1. 5

                                                    This article provides all sorts of advice but lacks a threat model.

                                                    Yessss, more of this. We can discuss security but without a proper model of what we are protecting you are just doing a lot of fancy theater without really getting anywhere. Having a realistic model helps you implement proper measures and should be the starting point of any hardening endeavor. I think introducing some concepts such as “exploitability” and “post-exploitability” are maybe bad words, but gives people some words to hang ideas around.

                                                    1. 2

                                                      One thing I’ve heard reiterated is that a checklist is a “bare minimum” when implementing secure systems. This article is a checklist. Like any other checklist, following it exactly will likely result in an unusable system, and only following it will result in a false sense of security.

                                                      1. 2

                                                        Those checklist are usually either guidelines or baselines internal to your company.

                                                        Guidelines are usually thought through and apply the security concepts mentioned above like defense in depth.

                                                        Baselines are the minimum that needs to be done for your system to meet the internal requirements or the company.

                                                        Although, a random checklist on the internet isn’t either of those 2 as it’s totally external to your company.

                                                        For example, no financial institution is going to use Void instead of RHEL because of the support. Neither they will start to upgrade all packages as soon as they’re available without testing it through their change management process.

                                                        1. 2

                                                          following it exactly

                                                          .. will result in a heterogeneous state where you can take all of these systems down that follow this guide to perfection?

                                                          1. 2

                                                            lol, yeah, exactly - at that point, you only need to look at the guide to figure out how to attack anything that used it. Though some checklists are more just best practices. Like, don’t use empty root passwords - that sort of thing. Monotonically increasing security is the idea, but obviously not all checklists are going to do that…

                                                    2. 7

                                                      Oh, almost forgot.

                                                      The most common verified boot implementation is UEFI Secure Boot however this by itself is not a complete implementation as this only verifies the bootloader and kernel, meaning there are ways to bypass this:

                                                      Yay, no anti-Secure Boot FUD. Always a relief.

                                                      UEFI secure boot alone lacks an immutable root of trust so a physical attacker can still reflash the firmware of the device.

                                                      Is wrong, most modern machines has TPMs which works as a immutable root of trust if you are utilizing secure boot. You don’t have to use either of the Intel nor AMD options for this. It would also detect firmware flashing.

                                                      1. 1

                                                        A proper secure boot implementation should be doing measured boot too, no?

                                                        1. 1

                                                          Not “secure boot implementation”, but a “verified boot implementation” would be doing measured boot and secure boot.

                                                          Secure boot itself doesn’t do more then authenticate the files you are booting.

                                                      2. 12

                                                        Use a distribution with an init system other than systemd. systemd contains a lot of unnecessary attack surface; it attempts to do far more things than necessary and goes beyond what an init system should do. An init system should not need many lines of code to function properly.

                                                        I saw this and just closed the tab.

                                                        1. 3

                                                          Right, I get that. But I’d still read over it as you might get an idea or two. But taking it at face value is not really going to give you a lot more then a painfully broken system.

                                                      1. 5

                                                        This is an oldie but a goodie, for the simple fact that git is not only so common, but that knowledge of its ins and outs is valorized among programmers. I should be perfectly happy if someone read this entire page and the only lesson they took away was, ‘wow, git is a very poorly designed program.’

                                                        1. 6

                                                          I am in the midst of teaching my web development students how to use git and - as is true every year - I am appalled at how convoluted it is. Git is the software equivalent of English.

                                                        1. 1

                                                          The ratio of words-read to words-understood in that essay is making me rethink my life right now. I had absolutely no idea how deep that rabbit hole went.

                                                          1. 4

                                                            A split staggered keyboard makes no sense to me. I have an Ergodox and a Kinesis Advantage and the columns are much more logical if you can turn the parts or have better spacing.

                                                            Also, the relearning for those is trivial. Ok, the arrow keys are a pain!

                                                            1. 1

                                                              I love my ErgoDox but after months of trying I simply couldn’t get used to the default arrow keys so I moved them all to the right half in the Vim order along the bottom row and it’s working much better for me now. I just couldn’t adapt to using two hands for the arrow keys.

                                                              1. 1

                                                                Yeah, I also ditched the default layout. I don’t like that bottom row. I don’t use it now. The rest of the hardware layout is good though.

                                                            1. 2

                                                              In all these cases there was ways to keep a flat UI, while making the interactive elements stand out more.

                                                              For example, on the first example they went from what clearly looks like a button to a white box on a white background with a purple border. It should have been possible to make that button flat, but give it a subtle shadow or something to make it stand out more.

                                                              I think it’s an interesting study but they aren’t really saying what should be done to improve flat UIs. Going back to skeuomorphism is probably not an option as it would make the UI look dated, but there has to be a middle ground that can work.

                                                              1. 3

                                                                Going back to skeuomorphism is probably not an option as it would make the UI look dated, but there has to be a middle ground that can work.

                                                                I think the concern (and I am not saying this was your argument, the sentence just led me in this direction) with looking dated is where the problem pretty much lies. When you look at industrial or medical products, there is an overwhelming concern with usability, not novelty. Yet there is still variety. I think that UI designers can achieve variety and aesthetic pleasure without abandoning a good idea simply because it looks old. This will probably happen naturally over the coming decades as these technologies become normal, which is why we no longer see insane steering wheels except in concept cars.

                                                                1. 3

                                                                  It should have been possible to make that button flat, but give it a subtle shadow or something to make it stand out more.

                                                                  I don’t want to “no true Scotchman” things here, but at that point it’s no longer a “flat UI”, right? I think the objection is mostly against UI elements which are truly flat, not those that are “less 3D”. I often use shadows myself, which gives kind of a “pop-out 3D” similar to the 3D UI of yesteryear, except more, well, fashionable I guess?

                                                                  If you look at the GNOME/Librem screenshots in the another reply here, then the “3D effect” is done by using a gradient background which is slightly different from the surrounding colour, but with a solid border colour which doesn’t pop out (which is what the old UIs used) – stuff like the Bootstrap CSS theme also does it like that by default (or at least, used to do – haven’t used it in a few years).

                                                                  Even the buttons on Lobsters which have a solid border colour and solid background colour kind of “pop out”. It takes very little to fool out brain in to thinking something “pops out”, and the problem with flat UI is that it makes no effort at all to do that. Anything that does make that effort is – as far as I’m concerned – not really a flat UI.

                                                                  1. 2

                                                                    Exactly. There’s a lot you can achieve with subtle suggestions of depth without going in completely the opposite direction and distracting from the content (or just blending in; there’s a reason road signs aren’t detailed and realistic). I’m actually really glad for the cleaner interfaces we have today in general but it still needs to be done thoughtfully. There are definitely too many completely flat designs that just jump on the trend without putting any thought into why or how. That’s lazy. But a UI can certainly take elements of flat design while remaining highly usable.

                                                                  2. 2

                                                                    There most certainly exists a middle ground, signifiers are on a spectrum and the example of the underlined vs. just contrasting-colored links reveals you can get away with weakening them (although underlined links is not something I’d personally recommend) and users will still figure them out. This article goes into more details on how to improve flat UIs.

                                                                  1. 2

                                                                    Very interesting point about asynchronous conversation on a shared document. I am definitely on the market for decent tools here. I can’t find a tool that I’m happy with. I’ve tried

                                                                    • google docs (and suite)
                                                                    • MS word online
                                                                    • quip
                                                                    • confluence
                                                                    • VS code
                                                                    • ms whiteboard
                                                                    • google colab
                                                                    • markdown in git

                                                                    but all fall short one way or another. poor collaborative edits, or lack of diagrams or image management, or even comments are either broken or a pain to use. I whish for a collaborative orgmode, but I’d be happy to settle with markdown with latex equations and comments. Closest I’ve used was quip, although it is not missing his share of problems. Does anyone has other suggestions?

                                                                    1. 3

                                                                      If you work in a G Suite environment, Coda.io is pretty great. In the last few weeks they have added support for non-Google logins so you don’t need to use G Suite or Gmail to authenticate.

                                                                      1. 2

                                                                        Coda.io

                                                                        That looks very very interesting, also has latex math formulas!! thanks!

                                                                    1. 24

                                                                      I have run both static and Wordpress sites in the past and Wordpress definitely has a better publishing experience for most writers than a static site. Whenever the experience of publishing static sites is criticized, I usually only hear scoffing from developers glancing up from their wall of terminals. “How could this be hard for anyone else?” But the fact of the matter is that for most people, it is. If static is superior, then it would be awesome to see developers making tools that make it easier for the average writer to publish a static site instead of being confused about someone “not getting Jekyll”. Make it easy to do it the right, secure way. My position right now makes me the interface between a lot of “average” users and complicated tools and especially now that we are working remotely, I am intensely interested in making processes easier (and still safe) for my users, even if I have to sacrifice technical purity. But when I can help them complete the task in the best way, easily, then that’s a big win.

                                                                      1. 25

                                                                        The tools exist. You can add a content manager on top of a static generated site, like Netlify CMS or Forestry, just to cite two of them. They’re called headlessCMS and there’re a lot of them.

                                                                        There’re others advantages on going static that @kev doesn’t talk on this post. For example, I think the most important for me is that you can pass the trouble and cost of maintaining a server with php, a database and a webserver running 24/7.

                                                                        But at the end of the day I don’t think there’s only one right way to do things. I agree with @kev:

                                                                        WordPress is far from perfect, but it works for me. If using a static site works for you, that’s great. It would be a very boring world if we all liked the same thing.

                                                                        1. 2

                                                                          I’ve tried Netlify, and I wasn’t impressed. Compared to just unzipping a version of WordPress on an Apache server and setting up a MySQL database, it felt very counter-intuitive and complicated to use and setup and I didn’t even get it to work in the end. All these headless CMSs seem very ad-hoc.

                                                                          I think the most important for me is that you can pass the trouble and cost of maintaining a server with php, a database and a webserver running 24/7.

                                                                          As @kev mentioned elsewhere in this thread, you still need a web server running to serve static content, which almost certainly has PHP enabled anyway. The only difference is that you don’t need a database. And I admit that databases are somewhat opaque compared to how static site generators structure the content, but there’s a reason that most CMSs store their data in a SQL database rather than in plain text files.

                                                                          (As a sidenote, I’m not a huge fan of CMSs either. I myself have a static site, I just don’t use a static site generator.)

                                                                          1. 1

                                                                            You generally don’t host a static site on an actual web server; Netlify or GitHub/GitLab Pages or S3 or whatever is a layer of abstraction on top of that. I use Google Cloud Storage for https://snazz.xyz, so I build my site locally and have a script that copies the files to my GCS bucket.

                                                                            For my site’s traffic usage, replicated hosting on multiple continents is free (and then I pay by the GB of bandwidth after the first 5GB). Plus, I don’t have to do any maintenance whatsoever.

                                                                            1. 5

                                                                              I just can’t see how this is simpler than just having a web server running. And I feel much more in control running my own web server on a VPS than hosting my site in Amazon’s or Google’s cloud.

                                                                              1. 1

                                                                                I understand the need for control but I think that one of the main benefits of running a static website is that there is almost no vendor lock-in. That’s why I feel confident about hosting my personal blog on Netlify. If the company goes out of business tomorrow, migrating to something else will take 10 minutes at most.

                                                                                1. 3

                                                                                  There’s still much more vendor lock-in than with a simple web server. A WordPress installation looks identical, no matter what VPS it is hosted on. Same goes for Apache. But Netlify’s “in-browser edit” interface is different than GitHub’s, which is different than GitLab’s, and so on. If you want to be truly free, you can never really allow yourself to get used to Netlify/GitHub/etc, because if you get used to any specific service, the barrier for leaving it will be higher.

                                                                                  It’s not a huge deal, but it’s a big enough deal for me to feel uncomfortable with it.

                                                                                  1. 1

                                                                                    From my observations, people treat the web editor as last resort (among github users, its use for anything is strongly discouraged—in collaborative development context, for valid reasons).

                                                                                    The advantage people love those things for is pushbutton deploy: you push generated pages to git, and the rest happens without you. With Github Pages’ built-in Jekyll, you push source files/configs/templates to git and generation also happens without you.

                                                                                    Myself I’m not fond of autogenerated files in git, and rsync+ssh to my own web server is all deployment automation I want (I made it a make target), but for some it’s a real selling point.

                                                                                    1. 2

                                                                                      From my observations, people treat the web editor as last resort (among github users, its use for anything is strongly discouraged—in collaborative development context, for valid reasons).

                                                                                      The reason I focus on the web editor is that lots of people in this thread are presenting it as a perfectly viable alternative to WordPress’ web editor, which I don’t really think it is.

                                                                                      The advantage people love those things for is pushbutton deploy: you push generated pages to git, and the rest happens without you. With Github Pages’ built-in Jekyll, you push source files/configs/templates to git and generation also happens without you.

                                                                                      I don’t know… I can’t see how this isn’t just another step in the process of updating the site that just makes it more complicated. Wouldn’t the most effortless solution just be a traditional shared web host with FTP access?

                                                                                      (Also, with GitHub + Jekyll, you still need to generate it on your own system to preview it, so I don’t see the benefit of any generation happening on GitHub, and don’t get me started on issues of version mismatch between GitHub’s Jekyll and my local installation…)

                                                                                      1. 1

                                                                                        version mismatch between GitHub’s Jekyll and my local i on Netlify you can specify the version of SSG you’re using. I use Hugo and I can it to the same version as my local one.

                                                                                2. 1

                                                                                  I think it’s just a tradeoff. Instead of managing SSH keys, apt unattended-upgrades, and Certbot, I just run this script on my computer every time I want to upgrade my site:

                                                                                  #!/bin/sh
                                                                                  
                                                                                  cd ~/everything/site
                                                                                  rm -rf public
                                                                                  zola build && cd public
                                                                                  gsutil -m rsync -d -r . gs://www.snazz.xyz
                                                                                  gsutil -m rsync -d -r . gs://snazz.xyz
                                                                                  

                                                                                  Maybe this is more complex overall, but the amount of stuff I have to keep in my head is much reduced this way. I can see why you might prefer to maintain control over the web host, but I’m perfectly happy not having to do any sysadmin tasks.

                                                                                  1. 2

                                                                                    Instead of managing SSH keys, apt unattended-upgrades, and Certbot

                                                                                    None of these are strictly necessary. I have no need for a non-self-signed SSL certificate, so I don’t need to worry about renewing it.

                                                                                    Maybe this is more complex overall, but the amount of stuff I have to keep in my head is much reduced this way. I can see why you might prefer to maintain control over the web host, but I’m perfectly happy not having to do any sysadmin tasks.

                                                                                    I understand, I didn’t mean that managing a web server is zero-effort in any way.

                                                                          2. 10

                                                                            10 years back, my friends over at TheConversation.com.au created a “live” static site generator.

                                                                            The public site was nginx serving html files off disk, but there’s a full CMS with a database, versioning, etc generating those files when an article is updated.

                                                                            This architecture had the significant advantage that it was really, really hard to cause a public facing outage.

                                                                            Also, truly huge amounts of traffic could be handled by a single, quite small server, even before adding a CDN to the picture.

                                                                            1. 4

                                                                              Yes, the ability for even a small server to handle enormous numbers of page views is a definite technical advantage of a static site. I just think the number of moving parts in an SSG end up nullifying the advantages in the eyes of the prospective publisher. Tools that couple the publishing interface (especially on mobile) of WordPress with the speed and small attack surface of a static site are definitely in order. @kev mentioned Grav as one such tool in some of his comments, although I haven’t had the chance to try it. But my experience with SSGs eventually drove me back to just writing straight HTML in a decent IDE.

                                                                              1. 3

                                                                                It’s been a loooong time, but isn’t that basically how MovableType worked?

                                                                                1. 2

                                                                                  MovableType definitely has a mode which does that. Charlie Stross’ blog is static and built with MovableType (or used to be)

                                                                                  1. 2

                                                                                    One of the big features of WP over MT back in the day was “instant publishing”, you didn’t have to wait for the time-consuming “rendering” step.

                                                                                2. 1

                                                                                  I used to do something very similar with a home baked thing in ruby. Once I hit on it I was surprised it wasn’t a more common pattern.

                                                                                3. 4

                                                                                  Couldn’t agree more.

                                                                                  By the way, if you’re looking for a happy medium, check out Grav (https://getgrav.org). I used it for a while, but did run into some issues with it.

                                                                                  1. 3

                                                                                    I started blogging with UserLand Radio and later Movable Type. While primitive by today’s standards, this software attempted to bridge these worlds. The blogging experience was through a dynamic application and the publishing output was static HTML.

                                                                                    As time progressed, I would often output “SHTML” (server-side includes) or PHP with these tools. That way you include more complicated dynamic pages for contact forms, surveys, etc. without using CGI scripts.

                                                                                    I’m curious as to whether the authors of tools like Grav, etc. have any experience with these older tools? Once Wordpress appeared on the scene, everyone ran in that direction of the easy of publishing, but we’ve had a lot of pain with maintenance and security vulnerabilities. I’m considering building something dynamic for my personal site which combines link blogging and photography because I know I’m more likely to publish to it when I have time, which also happens to be when I’m on my phone.

                                                                                    1. 3

                                                                                      Radio and Frontier were quite advanced. They still have many features that are not present elsewhere. I miss Radio…

                                                                                    2. 3

                                                                                      I think the thing missing from this discussion is that a lot of writers have their preferred text editor. I hate environments where I’m expected to write a large amount of text in anything other than my favourite text editor. Most writers I have met have an editor that they like (and often have customised a lot, with off-the-shelf plugins and custom key bindings / macros, even if they’re not programmers). If they’re using WordPress, they’ll write in something else, then copy and paste. If their favourite editor has native Markdown support, then they’ll use that and then copy it, otherwise they’ll paste text and then faff getting the formatting right.

                                                                                      The thing that they usually want is a mechanism to push directly from their editor to a live preview and then to deployment. That’s generally easy to hook up with a static site generator driven from git and a scriptable editor (these days, that means anything that’s not Notepad), but for a lot of commercial sites it often ends up having a manual step involving someone emailing a word document.