I gave Niri a try for a few hours. I didn’t finish all the customizations I would’ve liked, but I don’t think I would’ve liked it even if I had.
Your comment about searching for something and it being in the last place you look, is exactly how I felt with Niri once I had more than say 6 open Windows in a workspace. And I found it frustrating that it’s impossible to open a new window without moving all the other windows. I found myself manually shuffling windows around every time I opened one, or going to separate workspaces to avoid the issue.
I’m a bit disappointed, because I’ve had a lot of technical issues with Sway and Niri seems great on that front, and it has neat features. Maybe I’ll take a hatchet to Niri’s code and make it work like Sway so I can get a setup I can live with on a better technical foundation.
To me, the important bit that’s missing from this article is that the current generation of AI is fundamentally tied to the financial market, not to the market for products. Like blockchain/Web3, investment in generative AI is supposed to provide a story that makes these companies inflated P/E ratios seem reasonable, by promising a new field of unlimited growth for companies that are now actually in a mature industry. Whether it provides any products that are actually useful to consumers (including businesses) is beside the point; the products are only a prop for telling the story.
The thing is that Apple is a product company. To the extent they’re telling a story, it’s that buying and using their luxury products will make you happier and more productive than using the commodity products in the same categories. Promising AI features may seem like something natural and even necessary for them, given that it’s the current hype cycle in the tech industry, but it’s actually crossing the streams. Touting AI is basically sending the message that their product doesn’t actually matter, and given Apple’s product orientation, that was probably not intentional, and doesn’t actually reflect their plans.
I don’t think Gruber is conscious of this, given that he says, “Generative AI is the biggest thing to happen in the computer industry since previous breakthroughs this century […]. Nobody knows where it’s going but wherever it’s heading, it’s going to be big, important, and perhaps profitable.” But he’s got to be feeling the disconnect, he’s just partially mistaken about where it comes from.
My experience of public sector software development is that it’s significantly affected by the inability to pay developers market rates, and the inability to hire the number of developers needed to maintain their codebase. There are other pathologies, but these are the biggest.
I’m currently on sway, the way I work is - I have 10 workspaces, workspace 1 shows telegram, slack and matrix; workspace 2 has just a browser; workspace 3 has all the terminals; workspace 4 has just emacs; workspaces 5 to 9 are scratchpads, I don’t keep anything long running in them, I just use them when I need more space for a one-off thing; workspace 10 is for music/media
Right now I can switch to things directly because they are always at the same workplace. Could something like this be replicated with niri? I played with it for a few minutes but found myself getting a bit lost - my keybinds didn’t land me on the things I hoped they would due do the dynamic nature of workspaces
To ask the same question in a different way, how do you prevent windows from getting lost, if a window can be on a workspace, but off-screen?
I use Niri and I wholeheartedly agree that Niri is doing much better job technically than the clunky quirky C code in wlroots and Sway. It’s also a nicer user experience overall. Niri is only getting better by the day, leaving stagnating Sway C code in the dust.
Still, I somewhat miss the UX of “tabbed/stacked layouts with nested containers, the least ergonomic Band-Aid™ for the space issue I’ve ever seen” and I don’t agree that containers are a band-aid, even though I agree that they bring their own cognitive load.
On Sway, I often had eleven workspaces open.
added shortcuts to workspaces 11-20
On Sway I was never actually using more than five workspaces. A laptop screen + a big 4k screen + tabbed containers were actually a solution to the proliferation of workspaces: I kept a small number of workspaces with an arbitrary number of temporary windows in a tabbed container for a task that I could manipulate as one unit (closing, moving to another workspace, etc). I had to adjust to avoid multiplying windows in a Niri workspace, because I quickly lose track of invisible windows beyond the edges of screen (and Waybar has not been cooperative to display icons only from the current workspace), while on Sway I could see window decorations and titles for every top-level window/container in the workspace at the same time.
Another little annoyance is that I like that Sway workspaces have their own global namespace. I’m used to Sway workspaces 1 and 3 living on the laptop screen, 2 (and rarely 4) on my external monitor by default. When I unplug the external monitor, the workspace 2 (and maybe 4) just migrates to the laptop screen temporarily without changing the numbers, while on Niri workspaces 1 and 2 from the external monitor become something like 4 and 5 on the laptop screen.
Another feature that I’m waiting for is to be able to bind gestures to actions (swiping a workspace to another monitor can be nice).
Still, Niri is just awesome overall, I use it and I highly recommend it.
I’m gonna give Niri a try. Maybe it’ll even fix the bad perf and crashes I’ve had under Sway.
I agree on tabs. I used to have over 20 Sway workspaces, all with tabs. Recently Firefox has started having trouble when I have over 100 windows open, so I’ve had to cut back, and only have 9 workspaces, but I still have lots of tabs and I feel like they make it very quick and easy to find what I’m looking for. But I navigate by mouse. Whenever I happen to need to use the keyboard to navigate my sea of tabs inside tabs, it sucks. Maybe @eBPF always uses keyboard navigation and that’s why they dislike using tabs?
Maybe I’ll implement tabs for Niri if I miss them :laughing:
Edit: wait, Niri already has, I just discovered while trying to get started. Though they’re opposite to what I was envisioning. Niri tabs stack windows inside a single spot in the horizontal infinite scroll, while what I was imagining was a each tab being a container for a separate horizontal workspace.
Another little annoyance is that I like that Sway workspaces have their own global namespace. I’m used to Sway workspaces 1 and 3 living on the laptop screen, 2 (and rarely 4) on my external monitor by default. When I unplug the external monitor, the workspace 2 (and maybe 4) just migrates to the laptop screen temporarily without changing the numbers, while on Niri workspaces 1 and 2 from the external monitor become something like 4 and 5 on the laptop screen.
This is the only thing from Sway that I particularly miss on Niri. It makes sense given Niri’s Gnome-like dynamic workspaces, but I like switching between monitors by switching workspace, rather than having a separate system for it.
There is a lot of stagnation in the Linux tiling window manager space these days when it comes to improving and iterating on actual workflows rather than aesthetics, and backwards compatibility continues to be a thorn in everyone’s side.
I’m more active in the Windows twm scene, and I’m seeing (and have personally worked on) attempts to integrate scrolling workflows into “traditional” twms - from my experience I don’t think this is an either/or situation, and the two approaches can co-exist in the same wm fairly well.
I’d be interested in hearing more about this. I recently switched from Sway to Niri on my home machines, but my work is a Windows shop. Here I use PowerToys Fancy Zones, and it’s okay, but I’d like to have a proper tiling WM.
Wow, this is exactly the reaction I kinda imagined when I saw paperwm.
Before doing the switch from awesome to paperwm I found Niri and decided that I’ll move directly to wayland+Niri instead. Though I kinda haven’t had the guts to leave all my X helper scripts behind and actually move to wayland yet…
I guess this is what I needed to actually seriously consider switching to wayland soon. Thanks!
I found paperwm first, and it just really didn’t work for me, leading to me ignoring niri for a fairly significant amount of time by association. This post gave me the nudge to actually try it out, and I’m very pleasantly surprised!
Going to be switching to it fully for a while to really get a feel for it, and then decide if I’ll stay definitively.
Running smoothly! (+ decoration handling, scaling, shortcut management…)
Using PaperWM felt like replacing my touchpad with a cheese grater comparatively (I’m typically a labwc user).
With PaperWM, you get all the integration that Gnome provides, mainly in terms of managing hardware devices. You can provide all of this for Niri, and I have (originally for Sway, but it was trivial to bring my Sway configuration over to niri), but there’s no turnkey solution.
On the other hand, niri is much faster and smoother than PaperWM, and less buggy (because PaperWM is forced to keep up with Gnome Shell compatibility and interaction with other extensions). I also find that it handles the interaction between workspaces and multiple displays better than PaperWM.
Generally, I haven’t had many complaints with PaperWM (knocks on wood) or found it to be buggy. I do worry about the keeping up with GNOME – right now development with PaperWM seems active enough, but I can easily see a scenario where the developers move on and it stops working with newer versions of GNOME. If that day comes, I guess I’ll definitely be moving over to niri whether I want to or not.
I might retitle this as “Why Go’s Error Handling Is Not As Bad As People Say”, just because it does make the good point that “Explicit is better than implicit”. That is, exceptions are bad in ways Go’s error handling is not, even if Go’s error handling is bad in ways exceptions are not.
Given a choice, I prefer Result types that require exhaustive handling of error conditions (and I say this as someone who generally dislikes Rust). At work, I use a language that has and widely uses (unchecked) exceptions. In my own code over the last few years, I’ve taken the position that I will never allow exceptions to propagate beyond method scope if the interface is under my control; instead, I will use a Result type wrapping the exception to pass it out to the caller.
I’ve banned Googlebot on my personal site, though only through robots.txt and not the user-agent sniffing I use for other bots. I don’t really care about it being searchable anymore.
It would be much simpler if Signal adopted something like RFC 9420 (Messaging Layer Security), but MLS doesn’t provide the metadata resistance that Signal prioritized.
I wonder what metadata resistance Signal offers that Wire, through its use of MLS, doesn’t?
The metadata resistance of signal is largely mythical anyway since the necessarily have the metadata via other channels and just pinky promise not to look or store it
You can derive it from necessity if you like. Signal server sees the message come in over a network connection from an app. The server must be able to deliver it to a target user. This is the metadata. That the message data on the wire doesn’t contain this metadata doesn’t prevent the server from knowing it, it must know it in order to function at all. Signal has never claimed otherwise they only claim that the server forgets right away. But of course that must be taken on trust
At best, that associates two IP addresses… not withstanding CGNAT, VPNs, MASQUE, and friends.
But it doesn’t associate them with accounts / contacts. That’s a stronger guarantee than Matrix or XMPP. It may also be a stronger guarantee than Wire?
But it doesn’t associate them with accounts / contacts.
That isn’t true. Signal messages need to be routed by account identifier, an IP address is not sufficient. And unless you have the “sealed sender” feature turned on, messages identify their senders.
There’s no mechanism for the Signal server to know the IP addresses of iOS clients because an iOS device only maintains one persistent connection to Apple for notifications. There’s no way a Signal client can keep track of the IP addresses of its contacts, because it isn’t a mesh network, it’s a star. Even for non-iOS devices, an IP address isn’t sufficient to identify a client because (for example) there are multiple clients in our house and our house has only one IP address.
Sealed sender is also not a good protection if Signal was to actually start keeping logs. There are two sources of metadata leakage with sealed sender:
You need to acquire a sender certificate before you can use sealed sender. If you do this from the same IP as you later use when sending a message, your IP and your identity can be linked.
When you send a message, the receiver sends a delivery notice back to you. This is a simple correlation, a sealed message to Person A on IP address X from IP address Y is immediately followed by a sealed message from IP address X to Person B on IP address Y.
So it is. As far as I can tell the official documentation for the feature is still this blog post https://signal.org/blog/sealed-sender/ which makes it sound like the feature is incomplete, but the last few paragraphs say they were (in 2018) rolling it out to everyone so I guess the preview was actually the main event.
I just checked in settings. There’s only “show when it’s used” and “allow for even unknown senders” preferences for me, which makes me conclude that it’s already enabled by default and can not be disabled.
Yes, and if you do have Sealed Sender turned on, the only metadata left on the server that’s needed for message delivery is a 96-bit “delivery token” derived from a “profile key” that conveniently rotates whenever you block an account.
My reading of the description of sealed sender is that the delivery token is used check that the sender is allowed to send to the recipient – it’s an anti-abuse mechanism. It is used when the server is deciding whether to accept a message, it isn’t used to decide where to deliver the message.
That is not my reading of the server code for either single or multi-recipient messages. And Signal iOS at least seems to use sealed sender by default, though it falls back to unsealed send if there’s an auth failure, which seems bad. (so the server can force the client to identify itself? … but I also can’t find anywhere that throws RequestMakerUDAuthError.udAuthFailure, so maybe it’s dead code…)
But I admit it’s a very casual reading of the code!
To say what sibling says in a different way, the connection the message is delivered to the server over must be authenticated. If it weren’t the server would not accept the message, due to spam reasons etc. so the server knows the account of the sender. And it needs to know the account of the receiver for delivery to be possible
That article specifically admits this is true. Signal doesn’t choose to write it down (assuming the published code is what they run) which means it cannot be recovered after the fact (if you trust the server to not have recorded this) of course any other operator could also not write this down and one could choose to trust that operator. It’s not specific to signal really.
I believe we agree that the server must know the recipient of a message. I believe we disagree about whether the server needs to know the sender of a message.
Erm, so what do you mean by authenticated?
That article notes the sender’s metadata is (e2e) encrypted. The server accepts and routes messages whose envelope includes a delivery token. And, similarly, that delivery token is shared via e2e encrypted sessions to all a recipient’s contacts.
It’s unclear to me how unknown senders / randos are handled, however. I haven’t read that deep into the code.
Sure, that’s fair.
But I was hoping your claim was more substantial than just this, since, as since child comment below says, almost all signal competitors suffer from this.
Not just almost all. It is fundamentally impossible for a communications system to operate if whoever does the routing doesn’t know sender and receiver identity at some point (and send/receive time, which is also metadata)
If you do onion routing you could make it so only one part knows sender and one part knows receiver, which is how the remailer network worked but that’s the only instance I’m aware of doing that. Everyone else has the metadata and it’s just various shades of promising not to write it down.
Aren’t there protocols for deniable drop offs on servers and similar? Those wouldn’t scale well, but AFAIK they work. So they are possible (just not practical).
There is SecureDrop, but as far as the technology is concerned it’s a web app accessed via Tor. The rest of the anonymity guarantees come from server-side opsec performed by the recipient org https://docs.securedrop.org/en/stable/what_is_securedrop.html
SimpleX is a chat system that does onion routing. Only two hops, and I am not vouching for anything about the app or its servers; just noting this feature.
No one claimed otherwise. The context is the claim expressed above that you get worse metadata resistance than Signal, which seems irrelevant given that Signal doesn’t really have it either.
Sorry. I hear this line of argument on Hacker News and Reddit a lot, only for the person to turn around and recommend XMPP or Matrix instead. I wanted to cut it off at the pass.
What’s your marketing budget? If you aren’t aligned with the marketing budget havers on this, how do you expect them to treat you when your goals diverge?
See also, fast expiring certificates making democratized CT logs infeasible, DNS over HTTPS consolidating formerly distributed systems on cloudflare. It’s not possible to set up a webpage in 2025 without interacting with a company that has enough money and accountability to untrustworthy governments to be a CA, and that sucks.
HTTPS is cool and all, but I wish there was a usable answer that wasn’t “just centralize the authority.”
Sigh. Lobsters won’t let me post. I must be getting rate limited? It seems a bit ridiculous, I’ve made one post in like… hours. And it just shows me “null” when I post. I need to bug report or something, this is quite a pain and this is going to need to be my last response as dealing with this bug is too frustrating.
See also, fast expiring certificates making democratized CT logs infeasible, DNS over HTTPS consolidating formerly distributed systems on cloudflare.
Can you tell me more about these? I think “infeasible” is not accurate but maybe I’m wrong. I don’t see how DoH consolidates anything as anyone can set up a DoH server.
t’s not possible to set up a webpage in 2025 without interacting with a company that has enough money and accountability to untrustworthy governments to be a CA, and that sucks.
You can definitely set up a webpage in 2025 pretty with HTTPS, especially as you can just issue your own CA certs, which your users are welcome to trust. But if your concern is that a government can exert authority within its jurisdiction I have no idea how you think HTTP is helping you with that or how HTTPS is enabling that specifically. These don’t feel like HTTPS issues, they feel like regulatory issues.
HTTPS is cool and all, but I wish there was a usable answer that wasn’t “just centralize the authority.”
There are numerous, globally distributed CAs, and you can set one up at any time.
Lobsters has been having some issues, I had the same trouble yesterday too.
The CT log thing is something i read on here iirc, basically that CT logs are already pretty enormous and difficult to maintain, if there are 5x as many cert transactions cause they expire in 1/5 the time the only people who will be able to keep them are people with big budgets
I suppose i could set up a DoH server, but the common wisdom is to use somebody else’s, usually cloudflare’s, the fact that something is technically possible doesnt matter in a world where nobody does it.
especially as you can just issue your own CA certs
Are you joking? “please install my CA cert to browse my webpage” may technically count as setting up a web page but the barrier to entry is so high I might as well not. Can iphones even do that?
There are numerous, globally distributed CAs, and you can set one up at any time.
That’s a lot more centralized than “I can do it without involving a third party at all.”
I dunno, maybe I’m just romanticizing the past but I miss being able to publish stuff on the internet without a Big Company helping me.
The CT log thing is something i read on here iirc, basically that CT logs are already pretty enormous and difficult to maintain, if there are 5x as many cert transactions cause they expire in 1/5 the time the only people who will be able to keep them are people with big budgets
Strange but I will have to learn more.
I suppose i could set up a DoH server, but the common wisdom is to use somebody else’s, usually cloudflare’s
Sure, because that’s by far the easiest option and most people don’t really care about centralizing on Cloudflare, but nothing is stopping people from using another DoH.
Are you joking? “please install my CA cert to browse my webpage” may technically count as setting up a web page but the barrier to entry is so high I might as well not. Can iphones even do that?
iPhones being able to do that isn’t really relevant to HTTPS. If you want to say that users should be admins of their own devices, that’s cool too.
As for joking, no I am not. You can create a CA, anyone can. You don’t get to decide who trusts your CA, that would require work. Some companies do that work. Most individuals aren’t interested. That’s why CAs are companies. If you’re saying you want a CA without involving any company, including non-profits that run CAs, then there is in fact an “open” solution - host your own. No one can stop you.
You can run your own internet if you want to. HTTPS is only going to come up when you take on the responsibility of publishing content to the internet that everyone else has to use. No one can stop you from running your own internet.
That’s a lot more centralized than “I can do it without involving a third party at all.”
As opposed to running an HTTP server without a third party at all? I guess technically you could go set up a server at your nearest Starbucks but I think “at all” is a bit hard to come by and always has been. Like I said, if you want to set up a server on your own local network no one is ever going to be able to stop you.
I dunno, maybe I’m just romanticizing the past but I miss being able to publish stuff on the internet without a Big Company helping me.
Which drawbacks? I ask not because I believe there are none, but I’m curious which concern you the most. I’m sympathetic to wanting things and not wanting their consequences haha that’s the tricky thing with life.
HTTPS: I want the authentication properties of HTTPS without being beholden to a semi-centralized and not necessarily trustworthy CA system. All proposed alternatives are, as far as I know, bad.
DNS: I want the convenience of globally unique host names without it depending on a centralized registry. All proposed alternatives are, as far as I know, bad.
These kind of accusations are posts that make me want to spend less on lobsters.
Who knows if it’s planned or accidental obsolescence? Many devices and services outlive their teams by much longer than anticipated. Everyone working in software for a long while has experienced situations like those.
I also find the accusation that HTTPS is leading to broken devices rather wild…
I want to offer a different view: How cool is it that the devices was fixable despite Google’s failure to extend/exchange their certificate. Go, tell your folks that the Chromecast is fixable and help them :)
For me, it’s takes like yours that irritate me. Companies that are some of the largest on the planet don’t need people like you to defend them, to make excuses for them, to try to squelch the frustration directed towards them because they’re either evil or incompetent.
By the way, there is no third option - either they’re evil and intended to force obsolescence upon these devices, or they’re incompetent and didn’t know this was going to happen because of this incompetence.
The world where we’re thinking it’s cool that these devices are fixable tidily neglects the fact that 99% of the people out there will have zero clue how to fix them. That it’s fixable means practically nothing.
For me, it’s takes like yours that irritate me. Companies that are some of the largest on the planet don’t need people like you to defend them, to make excuses for them, to try to squelch the frustration directed towards them because they’re either evil or incompetent.
Who cares? No one is defending Google. People are defending deploying HTTPS as a strategy to improve security. Who cares if it’s Google or anyone else? The person you’re responding to never defends Google, none of this has to do with Google.
By the way, there is no third option - either they’re evil and intended to force obsolescence upon these devices, or they’re incompetent and didn’t know this was going to happen because of this incompetence.
Who cares? Also, there is a very obvious 3rd option - that competent people can make a mistake.
Nothing you’ve said is relevant at all to the assertion that, quoting here:
This is the future the “HTTPS everywhere” crowd wants ;)
Even though you’re quoting me, you must be mistaken - this post is about Google, and my response was about someone who is defending Google’s actions (“Who knows if it’s planned or accidental obsolescence?”).
I haven’t a clue how you can think that a whole post about Google breaking Google devices isn’t about Google…
To the last point, “https everywhere” means things like this can keep being used as an excuse to make fully functional products in to ewaste over and over, and we’re left wondering if the companies responsible are evil or dumb (or both). People pretending to not get the connection aren’t really making a good case for Google not being shit, or for how the “https everywhere” comment is somehow a tangent.
Take what you want from my employment by said company, but I would guess absolutely no-one in private and security has any wish/intention/pressure to not renew a certificate.
I have no insider knowledge about what has happened (nor could I share it if I did! But I really don’t). But I do know that the privacy and security people take their jobs extremely seriously.
This isn’t about who you criticize, I would say the same if you picked the smallest company on earth. This is about the obvious negativity.
This is because the article isn’t “Chromecast isn’t working and the devices all need to go to the trash”.
Someone actually found out why and people replied with instructions how to fix these devices, which is rather brilliant. And all of that despite google’s announcements that it would discontinue it..
This is the future the “HTTPS everywhere” crowd wants ;)
I’m not exactly sure what you meant by that, and even the winky face doesn’t elide your intent and meaning much. I don’t think privacy and security advocates want this at all. I want usable and accessible privacy and security and investment in long term maintenance and usability of products. If that’s what you meant, it reads as a literal attack rather than sarcasm. Poe’s law and all.
Not all privacy and security advocates wanted ‘HTTPS everywhere’. Not all of the ‘HTTPS everywhere’ crowd wanted centralized control of privacy and encryption solutions. But the privacy and security discussion has been captured by corporate interests to an astonishing degree. And I think @gerikson is right to point that out.
Do you seriously think that a future law in the US forcing Let’s Encrypt (or any other CA) to revoke the certificates of any site the government finds objectionable is outside the realms of possibility?
HTTPS everywhere is handing a de facto publishing license to every site that can be revoked at will by those that control the levers of power.
I admit this is orthogonal to the issue at hand. It’s just an example I came up with when brewing some tea in the dinette.
In an https-less world the same people in power can just force ISPs to serve different content for a given domain, or force DNS providers to switch the NS to whatever they want, etc. Or worse, they can maliciously modify the content you want served, subtly.
Only being able to revoke a cert is an improvement.
Holding the threat of cutting off 99% of internet traffic over the head of media companies is a great way to enforce self-censorship. And the best part is that the victim does all the work themselves!
The original sin of HTTPS was wedding it to a centralized CA structure. But then, the drafters of the Weimar constitution also believed everything would turn out fine.
They’ve just explained to you that HTTPS changes nothing about what the government can do to enact censorship. Hostile governments can turn your internet off without any need for HTTPS. In fact, HTTPS directly attempts to mitigate what the government can do with things like CT logs, etc, and we have seen this work. And in the singular instance where HTTPS provides an attack (revoke cert) you can just trust the cert anyways.
edit: Lobsters is basically completely broken for me (anyone else just getting ‘null’ when posting?) so here is my response to the reply to this post. I’m unable to reply otherwise and I’m getting no errors to indicate why. Anyway…
Yeah, “trust the cert anyway” is going to be the fig leaf used to convince a compliant SCOTUS that revoking a certification is not a blatant violation of the 1st amendment. But at least the daily mandatory webcast from Dear Leader will be guaranteed not to be tampered with during transport!
This is getting ridiculous, frankly.
You’ve conveniently ignored everything I’ve said and focused instead of how a ridiculous attack scenario that has an obvious mitigation has 4 words that somehow you’re relating to SCOTUS and 1st amendment rights? Just glossing over that this attack makes almost no sense whatsoever, glossing over that the far easier attacks apply to HTTP at least as well (or often better) as HTTPS, glossing over the fact that even more attacks are viable against HTTP that aren’t viable against HTTPS, glossing over that we’ve seen CT logs actually demonstrate value against government attackers, etc etc etc. But uh, yeah, SCOTUS.
SCOTUS is going to somehow detect that I trusted a certificate? And… this is somehow worse under HTTPS? They can detect my device accepting a certificate but they can’t detect me accessing content over HTTP? Because somehow the government can’t attack HTTP but can attack HTTPS? This just does not make any sense and you’ve done nothing to justify your points. Users have been more than charitable in explaining this to you, even granting that an attack exists on HTTPS but helpfully explaining to you why it makes no sense.
In the near future, on the other side of an American Gleichschaltung, a law is passed requiring CAs to revoke specific certificates when ordered.
If the TLS cert for CNN.com is revoked, users will reach a scary warning page telling the user the site cannot be trusted. Depending on the status of “HTTPS Everywhere”, it might not be able to proceed past this page. But crucially, CNN.com remains up, it might be accessible via HTTP (depending on HSTS settings) and the government has done nothing to impede the publication.
But the end effect is that CNN.com is unreadable for the vast number of visitors. This will make the choice of CNN to tone down criticism of the government very easy to make.
The goal of a modern authoritarian regime is not to obsessively police speech to enforce a single worldview. It’s to make it uneconomical or inconvenient to publish content that will lead to opposition to the regime. Media will parrot government talking points or peddle harmless entertainment. There will be an opposition and it will be “protected” by free speech laws, but in practice accessing its speech online will be hard to impossible for the vast majority of people.
If the USA apparatus decides to censor CNN, revoking TLS cert wouldn’t be the way. It’ll be secret court orders (not unlike recent one British government has sent to Apple), and, should they not comply, apprehension of key staff.
And, even if such cert revocation happened, CNN would be able to get new one within seconds by contacting any other ACME CA, there are even some operating in EEA.
I think your whole argument is misguided, and not aimed at understanding failures of Google, but at lashing at only tangentially related problem space.
And my comment is not defence of Google or Cloudflare, I consider both to be malicious for plethora of reasons.
You’re still thinking like the USSR or China or any totalitarian government. The point isn’t to enforce a particular view. The point is to prevent CNN or any other media organization from publishing anything other than pablum, by threatening their ad revenue stream. They will cover government talking points, entertainment, even happily fake news. Like in Russia, “nothing is true and everything is possible”.
And, even if such cert revocation happened, CNN would be able to get new one within seconds by contacting any other ACME CA, there are even some operating in EEA.
Nothing is preventing the US from only allowing certs from US based issuers. Effectively, if you’re using a mainstream browser, the hypothetical law I have sketched out will also affect root CAs.[1]
I think your whole argument is misguided, and not aimed at understanding failures of Google, but at lashing at only tangentially related problem space.
I proposed a semi-plausible failure mode of the current CA-based certification system and suddenly I’ve gotten more flags than ever before. I find it really interesting.
[1] note that each and every one of these attempts to block access will have quite easy and trivial workarounds. That’s fine, because as stated above, having 100% control of some sort of “truth” is not the point. If nerds and really motivated people can get around a block by installing their own root store or similar, it will just keep them happy to have “cheated the system”. The point is having an atomized audience, incapable of organizing a resistance.
I proposed a semi-plausible failure mode of the current CA-based certification system and suddenly I’ve gotten more flags than ever before. I find it really interesting.
The flags are me and they’re because your posts have been overwhelmingly low quality, consisting of cherry picking, trolling, rhetoric, and failing to engage with anyone’s points. You also never proposed any such attack, other users did you the favor of explaining what attack exists.
The closest thing you’ve come to defining an attack (before others stepped in to hand you one) is this:
Holding the threat of cutting off 99% of internet traffic over the head of media companies
It’s not that interesting why you’re getting flagged. IMO flags should be required to have a reason + should be open, but that’s just me, and that’s why I virtually always add a comment when I flag a post.
This is one of the only posts where you’ve almost come close to saying what you think the actual problem is, which if I very charitably interpret and steel-man on your behalf I can take as essentially “The US will exert power over CAs in order to make it hard for news sites to publish content”. This utterly fails, to be clear (as so many people have pointed out that there are far more attacks on HTTP that would work just as well or infinitely better, and as I have pointed out that we have seen HTTPS explicitly add this threat model and try to address it WITH SUCCESS using CT Logs), but at least with enough effort I can extract a coherent point.
I have around 30 flags right now in these threads (plus some from people who took time off their busy schedule to trawl through older comments for semi-plausible ones to flag). You’re not the only one I have pissed off.[1]
(I actually appreciate you replying to my comments but to be honest I find your replies quite rambling and incoherent. I guess I can take some blame for not fully cosplaying as a Project 2025 lawyer, instead relying on vibes.)
It’s fine, though. I’ve grown disillusioned by the EFF style of encryption boosting[2]. I expect them to fold like a cheap suit if and when the gloves come off.
[1] but I’m still net positive on scores, so there are people on the other side too.
[2] they’ve been hyperfocussed on the threat of government threats to free speech, while giving corporations a free pass. They never really considered corporations taking over the government.
Hm, I see. No, I certainly have not flagged all of your posts or anything, just 2 or 3 that I felt were egregious. I think lobsters should genuinely ban more people for flag abuse, tbh, but such is the way.
It’s interesting that my posts come off as rambly. I suppose I just dislike tree-style conversations and lobsters bugs have made following up extremely annoying as my posts just disappear and show as “null”.
I’ve been getting the “null” response too. There’s nothing in the bug tracker right now, and I don’t have IRC access. Hopefully it will be looked at soon.
As to the flags, people might legitimately feel I’m getting too political.
Yeah, “trust the cert anyway” is going to be the fig leaf used to convince a compliant SCOTUS that revoking a certification is not a blatant violation of the 1st amendment. But at least the daily mandatory webcast from Dear Leader will be guaranteed not to be tampered with during transport!
The point of this hypothetical scenario would be that the threat of certificate revocation would be out in the open, to enforce self-censorship to avoid losing traffic/audience. See my comment here:
I’m not sure any of those are good examples of planned obsolescence. As far as I can tell, they’re all services that didn’t perform very well that Google didn’t want to support, tools that got subsumed into other tools, or ongoing projects that were halted.
I think it’s reasonable to still wish that some of those things were still going, or that they’d been open-sourced in some way so that people could keep them going by themselves, or even that Google themselves had managed them better. But planned obsolescence is quite specifically the idea that you should create things with a limited lifespan so that you can make money by selling their replacements. As far as I can tell, that doesn’t apply to any of those examples.
I get that it’s a tongue in cheek comment, but this is what falls out of “we want our non-https authentication certificates to chain through public roots”.
There is no reason for device authentication to be tied to PKI - it is inherently a private (as in “only relevant to the vendor” , not secret) authentication mechanism so should not be trying to chain through PKI, or PKI-like, roots.
Why is this a hyperbole? It is clear that even an enterprise the size of Google, famous for it’s leetcode-topping talent is unable to manage certificates at scale. This makes it a pretty good point against uncritical deployment of cryptographic solutions.
When Microsoft did that I wasn’t standing embarrassed in front of my family failing to cast cartoons on the TV. So it was their problem, not my problem.
Maybe. I think there are two ways to interpret it - “HTTPS Everywhere” means “literally every place” or it means “everywhere that makes sense, which is the vast majority of places”. But, to me, neither of these implies “you should deploy in a way that isn’t considered and that will completely destroy a product in the future”, it just means that you should very likely be aiming for a reliable, well supported deployment of HTTPS.
I was replying more to the “planned and enforced obsolescence” conspiracy theorizing.
It is true that managing certificates at scale is something not a lot of large organizations seem to be able to pull off, and that’s a legitimate discussion to have… but I didn’t detect any good faith arguments here, just ranting
I like this idea! Do you think it’s extreme to try and implement dark/light mode using static HTML? I can’t seem to find a good workaround for a javascript-less solution to give people the option to choose to deviate from their system preference.
But it sure feels like overkill to generate a copy of each page just to avoid making someone enable JS to change the colors on their screen… which I don’t even do because I prefer everything in dark mode anyway.
I don’t understand why so many web sites implement a dark mode toggle anyway. If your page uses CSS conditionally on prefers-color-scheme to apply a light theme or dark theme depending on the user’s system preference, why isn’t that enough?
For example, if the user is looking at your page in light theme and suddenly they think their bright screen is hurting their eyes, wouldn’t they change their systempreference or their browser’spreference to dark? (If they don’t solve the problem by just lowering their screen brightness.) After they do so, not only your page but all their other apps would look dark, fixing their problem more thoroughly.
For apps (native or web) the user hangs around in for a long time, I can see some reasons to allow customizing the app’s theme to differ from the system’s. A user of an image editing app might want a light or dark mode depending on the brightness of the images they edit, or a user might want to theme an app’s windows so it’s easily recognizable in their window switcher. But for the average blog website, these reasons don’t apply.
I am curious about how many people use it as well. But it certainly is easier to change by clicking a button in your window than going into your system or browser settings, which makes me think that it would be nice to add. Again, for the imagined person who decides to deviate from their system preference.
Although you’ve made me realize that even thinking about this without putting work into other, known-to-be-used accessibility features is kind of ridiculous. There is lower hanging fruit.
Here’s a concrete example. I generally keep my browser set to dark mode. However, when using dark mode, the online training portal at work switches from black text on a white background to white text on a white background. If I wanted to read the training material, I would need to go into my browser settings and switch to light mode, which then ruins any other tab I would switch to.
If there was a toggle button at the training portal, I could switch off dark mode for that specific site, making the text readable but not breaking my other tabs. Or, if the training portal at work won’t add the button, I could at least re-enable dark mode in every tab whose site had added such a toggle.
Sure, but only on sites that provide a button. It seems a little silly that one bad site should mean that you change your settings on every other site / don’t have your preferred theme on those sites.
Given how widely different colour schemes can vary, even just within the broad realms of “light” and “dark”, I can imagine some users would prefer to see some sites in light mode, even if they want to see everything else in dark mode. It’s the same reason I’ve set my browser to increase the font size for certain websites, despite mostly liking the defaults.
It would be nicer if this could be done at the browser level, rather than individually for each site (i.e. if there was a toggle somewhere in the browser UI to switch toggle between light/dark mode, and if the browser could remember this preference). As it is, a lot of sites that do have this toggle need to either handle the preference server-side (not possible with static sites, unnecessary cookies), handle the preference client-side (FOUC, also unnecessary cookies), or don’t save the preference at all and have the user manually toggle with every visit. None of these options are really ideal.
That said, I still have a theme switcher on my own site, mostly because I wanted to show off that I made two different colour schemes for my website, and that I’m proud of both of them… ;)
I remember the days when you could do <link rel="alternate stylesheet" title="thing" href="..."> and the browser would provide its own nice little ui for switching. Actually, Firefox still does if you look down its menu (view -> page style), but it doesn’t remember your preference across loads or refreshes, so meh, not a good user experience. But hey, page transitions are an IE6 feature coming back again, so maybe alternate stylesheets will too someday.
The prefers dark mode css thing really also ought to be a trivial button on the browser UI too. I’m pretty sure it is somewhere in the F12 things but I can’t even find it so woe on the users lol.
But on the topic in general too, like I think static html is overrated. Remember you can always generate html on demand with a trivial program on the server with these changes and still use all the same browser features…
I’ve been preparing something like this. You can do it with css pseudo selectors and a checkbox: :root:has(#checkbox-id:checked) or so; then you use this to either ‘respect’ the system theme, or invert it.
The problems I’m having with this approach:
navigating away resets the checkbox state
svg and picture elements have support for dark/light system theme, but not for this solution
Yeah, I think I saw the checkbox trick before, but the problems you outline make the site/page/dark and site/page/light solution seem more enticing, since they can avoid especially the state reset issue. I like the idea of respecting/inverting the system theme as a way of preserving a good default, though!
Yeah, as an alternative, for the state issue I was thinking of using a cookie + choose the styles based on it, but that brings a whole host of other “issues”
Not as an OSS maintainer, but I have been asked to do something pretty ridiculous by a nonprofit in their interview process: fix an actual reported bug in their OSS codebase. Bug got fixed, test passed, my code lives in their project forever, I did not get hired.
I have been a professional software developer for 20 years. I like to think of myself as being up on the world of web technologies. And I just truly don’t understand how I’m supposed to use a web app offline. How do I get to it to use it? Am I the only one who has this disconnect of usability? Because I love this, but it’s never made sense to me.
Theoretically, you use the web app once online. The app is cached forever, and works on local data from there on out, and syncs local data to the server when you’re online.
In practice, nothing is ever cached when you need it to be, so you have a store of offline data that you can only use when you’re online to reach the app. (This ought to be fixed by now, by putting everything the app needs to start up in the service worker, but it still seems like it always goes wrong somehow.)
It seems to me like browsers aren’t really made to handle “owning” data, it’s all set up and designed with the assumption that the source of truth is somewhere else. I’d never trust a browser to be the only place where something important was saved. But perhaps that’s just me?
I think the idea is generally that local storage is only a temporary cache, and gets synced with the server when online. “Local-first” isn’t local-only!
Often, as a user, I’d rather have a somewhat fragile local cache than no functionality at all when I go offline for a bit. But of course that depends on the app domain.
But, it’s an interesting idea… would you trust a browser-based app that used (say) a local sqlite db rather than LocalStorage, and didn’t have a server-based backing store at all?
I like it. Just “Save Page As…” and done. Add lightweight peer discovery and a replication protocol, and that could be a very interesting evolutionary niche.
Xememex is a multiuser TiddlyWiki from Intertwingled Innovations. It allows large groups of people to work together on intertwingled wikis that can share content. It is implemented as a serverless application on Amazon Web Services. […] Xememex is currently only available under commercial terms from Intertwingled Innovations.
Intertwingled, eh? Meanwhile the original Xanadu says “WE FIGHT ON”. I’d be more interested in the cult of Nelson if this community wasn’t so doggedly doubled-down on commercial licensing and weird ideas about copyright.
Somewhere between absolutely not and probably not. The browsers themselves is the part I don’t trust. Safari will nuke your site’s storage after some number of days without use, so it’s unacceptable to rely on local only approach for that browser. Beyond that their IndexedDB implementation is buggy and those bugs have been unfixed for years.
In Android device manufacturers sometimes purge the browser storage when the device is low on disk.
Firefox keeps “local files” locked inside the “origin private file system (opfs)” so you still can’t back up your data easily, even though they’re supposedly the browser of user freedom, allowing a user to store actual local files in the real file system is Too Dangerous.
Only chrome provides an API that will let a browser app read & write to a file or directory that actually exists in the real world.
So maybe I would trust that local only app in chrome.
You visit the url, but the browser doesn’t load those direct from the web these days but instead asks the service worker what to do first. The service worker provider the stored asset and it works even though you have no internet
The push for local-first is driven by a few key new technological capabilities that previously restricted client devices from running heavy local-first computing:
No, it kept web pages from running heavy local-first computing. Native apps have been capable of this for quite a long time.
This article is pretty egregious in conflating “client” with “web browser”, which is a pet peeve of mine.
I think it’s more like application developers will go to some lengths to only have to support one broadly accessible platform rather than about five (iOS, Android, macOS, Windows, and “linux” as though it were only one target. Sorry BSD folks and other OS super-minorities). I can’t really blame them.
I am a solo dev at a small company. I develop and maintain a CRUD app that magically works on iPads, phones, desktops, barcode scanners etc. All thanks to… just being a website.
I still broadly agree that native is preferable though
Seriously. While reading this I was thinking yes, I have seen this movie. Outlook/Exchange started going around this circle 25 years ago. Local storage makes the UI super fast, and search works great. But then you have to sync, which means you have conflicts, which are in general impossible to solve without interrupting and confusing the user and doing a ton of work to solve cases the product people don’t want to think about. So in the name of sanity you go back to remote storage. Now the illusion of consistency is easier to maintain, but the UI is high-latency and freezes all the time, and the backend is baking client behavior into their APIs all over the place. Sentiment turns the other way and somebody funds the project to flip back to local storage (usually as if they just invented the idea). Repeat forever.
I mean, heck, if you want to go back to 1990, this is the NFS vs. AFS argument.
Same here. More the opposite: companies wanting to pay me to do things on open source projects I’m no longer particularly interested in. Maybe it’s just that I don’t do much directly user-facing stuff and so the people at companies I deal with are developers who understand the effort required to do what they wanted, but most of my interactions with companies from the F/OSS side have always been them asking some variant of ‘we really need this {feature,bug fix}, how much would it cost for you to do it for us?’.
I think most of the issues the author has are solved, or are in the process of being solved, by Forgejo.
Trust
I host Forgejo myself for personal repos and I’m very happy with it. It’s 100% open source, copy-left even.
Heavyweight [and] a lot more effort than hosting a plain git repository
Forgejo is a single binary written in Go. It’s pretty light on resources, I’m running it on a Raspberry Pi 4. It’s easy to install, but there are a couple setup steps. Creating the git user, setting a handful of config options, setting up the systemd service. It’s not a huge deal, but I do think this can be improved if distributions start picking up Forgejo and packaging it properly.
I use Fedora and they have announced they want to move to Forgejo for all their git hosting needs. I hope this will lead to a package in the official repos, I’d love that.
Account management
You don’t need an account to do any of the things that are possible with a bare repo. You can even do more without an account. For example, you can check all the discussions in issues and pull requests as the author mentions. You only need an account for stuff that’s not possible at all with a bare repo, this functionality is purely additive. All the other workflows like sending a mail with a url to a fork and the name of a branch are still possible with a forge! You are circumventing the workflow the forge is offering you, but there is no law against that.
Also, Forgejo is working on federation, so that might improve even further in the future. But I can’t give Forgejo points for it before it actually exists.
You get a workflow imposed on you
The author corrected themselves here, so kudos to them. Just like with GitLab, you can turn off almost all features of a repository. Forgejo even let’s you disable the code section, which I have done for my “notes” wiki. So, everything about the notes repo is hidden, except the wiki.
In conclusion, I don’t think hosting a bare repo is bad, but I do think you’re missing out if you do that. Forgejo often surprises me with features I didn’t know I wanted. Builtin container registry? Awesome, that in combination with Podman+Quadlet is by far the simplest deployment workflow for custom apps that’s fully open-source and self-hosted I have yet to discover. And I didn’t even know about it when I started hosting Forgejo.
You don’t need an account to do any of the things that are possible with a bare repo.
If you want to have contributions coming from people, they need an account.
If they want to comment in some PR/MR or issue, they need an account.
So if you want any collaboration on the project, they need an account or you need to setup secondary service for discussions without need for an account. Forgejo in current state is nice for solo or cathedral-style projects. Not really for bazaar-style projects.
None of that addresses my point: You can do everything with Forgejo you can do with a bare git repo and there is no requirement to use any of the purely additive features that require an account. If you think Forgejo is unsuitable for bazaar-style collaboration, then so is a bare git repo.
This is technically true, but I’ve never seen a Forgejo-hosted repo (other than my own) where the maintainer was willing to accept patches over email. They probably do exist somewhere, but they are unusual. Almost everyone using Forgejo wants you to also use Forgejo.
Probably not a lot that people universally benefit from. But a lot of situational stuff.
First of all, the person hosting Forgejo is getting a lot more features (presumably one makes an account at least for themselves). You can do your own issue tracking, I like to work that way. It’s basically just a project-scoped todo list for me. You can push your own releases, e.g. I might want to cross-compile for ARM on my x86 machine so I can later download it on my raspberry pi. Or a rendered typst document that you want to share with people by sending them a link. You have your own container registry, which is extremely convenient for self-hosting your custom apps. Plus a bunch of language-specific registries (that’s more relevant for orgs I suppose, who want to have private libraries). You get the wiki in case you like that. As mentioned I basically use a “notes” repo with only the wiki activated as my notes app (not luxurious, but handy). You can also host a Forgejo actions runner if you want to build your own CI/CD.
Other people may benefit depending on how the host uses Forgejo. If the host uses Forgejo like a bare repo, then yeah, the benefit is small. (I would say it’s at least a much nicer UI for browsing code, history, diffs and so on.) If the host makes releases, publishes containers, they could benefit that way. The issue tracker can tell people what the host is planning to work on.
In conclusion, the benefits are situational. You may conclude for yourself that there’s not much for you to benefit from hosting Forgejo and that’s fine.
Thank you for the detailed explanation. I don’t think those things would be of interest to the author (based on this blog post, anyway) but I can see how they would be handy if you didn’t already have your own alternatives.
I plan to start self-hosting again sometime so it’s interesting to learn how different people do it.
Also, Forgejo is working on federation, so that might improve even further in the future. But I can’t give Forgejo points for it before it actually exists.
Yeah, federation would solve some of my pain points with Forgejo, because I’m unwilling to open up account creation on my instance, or to have people ask me to make them accounts. Basically, my Forgejo makes my issue tracker public to read, and I will copy in bug reports or comments from email. I also take contributions by email, the same as if I had a bare git repo and gitweb. I guess I do find it kind of more convenient to manage than gitweb, too.
I’m not sure Forgejo would solve any problems OP has, but it wouldn’t make them worse, either.
Also, Forgejo is working on federation, so that might improve even further in the future. But I can’t give Forgejo points for it before it actually exists.
I have a hard time imagining that federation will provide better UX compared to what a decent desktop app for managing patches via email could provide. The contribution flow, if it’s like mastodon, is going to be confusing. Users will also need to have an account somewhere to contribute, and if they find a PR or issue they want to contribute on a different server (say via a link), they will need to go back to their own instance and find the repository there. I hate that about mastodon, where if someone links me to a profile that I want to follow, I need to go back to my own instance and find that user again. Not to mention all the extra work Forgejo will need to re-implement that was handled by email providers such as handling spam.
Yeah, I have no idea what federation could look like, so I’m cautiously pessimistic.
what a decent desktop app for managing patches via email could provide
PLAESE tell me about any apps you know that make email-based workflows bearable. I’M BEGGING YOU.
I’m using aerc at the moment because most GUI clients seem to hate plain text and bottom posting. The TUI is nice, I got the keybinds configured like Helix… but… it’s still email.
Unfortunately aerc (outside of emacs) is one of the better clients. I just think it’s less effort and the end result would be better end if the focus was a new interface for git and email rather than extending git with activitypub and building an interface for that extension.
Naming is hard but there’s already a well established Lynx in the Web space.
What they mean by “native” is you write JavaScript, (a subset of) HTML, and (a subset of) CSS that they render into the platform’s standard elements. See Behind the Elements: Native Rendering.
So naming is doubly hard, but this one can be blamed on Facebook’s React Native.
I don’t have opinions about the project itself, I just wanted to know where the overtone window for “native” is nowadays.
Thanks for the link to https://micro.blog/, it looks intriguing. You don’t mention SSGs + static hosting, but I think they’ve gotten pretty accessible and there are lots to choose from, one can mix and match and even move between hosts without too much trouble, if you own a domain. I think that’s sort of the natural way to approach the simple web.
But… people want to be able to leave comments, and there’s the rub. A comment can be (in my mind anyway) even below the “micro-blog post” threshold, but its context is fixed to a post, or perhaps to other comments. A commenting system pretty much requires identity management of some form, and then moderation… it gets complicated pretty quickly, and user expectations for feature sets have risen quite a bit since the early days of forums. There are several comment systems I’m aware of that are reasonable enough to add to a static blog, but then you have a third party. Or perhaps you can self-host on a little VPS, but then it’s no longer static-simple. Either way, real-time commenting exposes you to some risk, and requires constant moderation effort.
I’m fond of the old-fashioned, anonymity preserving, moderate-before-publish paradigm, but it’s too slow and too much effort for all but the smallest conversation. You can encourage people to publish “comments” about your blog on their own blogs, and thus sidestep moderation, but that’s much less accessible and gets disjointed quickly. Or you can just let a “social network” take care of all that, but then you lose discoverability and control. I wish I knew of a better way.
When I’ve dabbled in having comments I’ve been disappointed in the quality. IMO it’s not worth all the downsides you mention. I’d encourage bloggers to provide an easy-to-find email address, and I’d encourage readers of blogs to consider sending an email even if it’s “hey, I really liked this post!” As a long-time small-fish tech blogger these conversations do happen sometimes and they’re quite fun. Not all our discussions need to double as public performance art à la microblogging. :)
That said, when you do want to comment on something publicly the link-and-comment-in-own-post approach you mention is nice too. As a reader I don’t think it’s too bad to follow the backlinks. It’s gently applying a little structure ad-hoc where it’s needed rather than forcing all conversation into a threaded system to begin with.
A put my email address a few different places, plus I send out a newsletter.
A handful of times each year I get a genuine handwritten email from someone. It’s always a delight and I try to respond with as much effort as they put in to their message.
I wish I got a bit more of those random outreaches.
Smallweb tries to make creating dynamic websites as painless as static ones. No build / deploy step, you just create a folder in you internet folder and it instantly available at https://<folder>.<domain>. To switch between hosts, you can just rsync the an app folder between different smallweb instances, or even the whole smallweb folder.
Thanks for the kind words. I been considering starting a little monthly zine just to surface cool blogging stuff. SSGs alone number in the hundreds at this point. I do mention Jekyll in the post though which is a SSG.
You can have “comments” without too much fuss in your blog if you support WebMentions. Then using something like Bridgy, can help posts on microblogs mentioning your stuff appear on your blog. That is what I do with my blog (even though my third-party WebMention endpoint seems to be down atm).
Not sure recommending Microsoft’s GitHub for hosting is the path to breaking away from the corporations. The platform itself is corporate social media & there are quite a few alternatives that still fit free as in beer & freedom (or at least close to).
I agree with you, I recommended many types of setups there and the criteria was around what are the most common ones that people can find a lot of information about if they search. I recommended many alternatives there that I am not onboard with such as Github and Wordpress. My reasoning was around not pushing what is best for me but what can be an easy path for people. Also, it is fairly easy to move away from Github and carry your stuff with you, it is less than a silo than Wordpress which is a redeeming quality.
But I hear you and I agree. Been considering starting a zine to surface cool blogging stuff away from that mainstream stuff. Do you think that is something worthwhile to do? (just gauging if there is interest from people in this thread)
After my first reply to you I stopped to think about it for five minutes and decided to edit the post to remove the GH link. I left Jekyll as a mention of a good SSG. Added Bear Blog too.
Least bad option is post the link to your blog entry on your Fediverse microblog (e.g. Mastodon) account, then update your blog entry with the URL of that post as accepting comments.
I do like receiving email about posts, and on Gemini, it mostly works for people to just respond in their own blogs. But that’s mainly because Gemini is so small that everyone uses the same aggregators and is likely to see responses; it wouldn’t work for the web. Respond-on-blog and send webping/webmention works, but that introduces a non-static component.
I gave Niri a try for a few hours. I didn’t finish all the customizations I would’ve liked, but I don’t think I would’ve liked it even if I had.
Your comment about searching for something and it being in the last place you look, is exactly how I felt with Niri once I had more than say 6 open Windows in a workspace. And I found it frustrating that it’s impossible to open a new window without moving all the other windows. I found myself manually shuffling windows around every time I opened one, or going to separate workspaces to avoid the issue.
I’m a bit disappointed, because I’ve had a lot of technical issues with Sway and Niri seems great on that front, and it has neat features. Maybe I’ll take a hatchet to Niri’s code and make it work like Sway so I can get a setup I can live with on a better technical foundation.
There are a number of other compositors also using Smithay like Niri, maybe one will be closer to your liking.
To me, the important bit that’s missing from this article is that the current generation of AI is fundamentally tied to the financial market, not to the market for products. Like blockchain/Web3, investment in generative AI is supposed to provide a story that makes these companies inflated P/E ratios seem reasonable, by promising a new field of unlimited growth for companies that are now actually in a mature industry. Whether it provides any products that are actually useful to consumers (including businesses) is beside the point; the products are only a prop for telling the story.
The thing is that Apple is a product company. To the extent they’re telling a story, it’s that buying and using their luxury products will make you happier and more productive than using the commodity products in the same categories. Promising AI features may seem like something natural and even necessary for them, given that it’s the current hype cycle in the tech industry, but it’s actually crossing the streams. Touting AI is basically sending the message that their product doesn’t actually matter, and given Apple’s product orientation, that was probably not intentional, and doesn’t actually reflect their plans.
I don’t think Gruber is conscious of this, given that he says, “Generative AI is the biggest thing to happen in the computer industry since previous breakthroughs this century […]. Nobody knows where it’s going but wherever it’s heading, it’s going to be big, important, and perhaps profitable.” But he’s got to be feeling the disconnect, he’s just partially mistaken about where it comes from.
Maybe somebody should sit him down and make him read https://www.wheresyoured.at/wheres-the-money/
I was this close to using the phrase “rot economy” in my comment, so yeah.
My experience of public sector software development is that it’s significantly affected by the inability to pay developers market rates, and the inability to hire the number of developers needed to maintain their codebase. There are other pathologies, but these are the biggest.
I’m currently on sway, the way I work is - I have 10 workspaces, workspace 1 shows telegram, slack and matrix; workspace 2 has just a browser; workspace 3 has all the terminals; workspace 4 has just emacs; workspaces 5 to 9 are scratchpads, I don’t keep anything long running in them, I just use them when I need more space for a one-off thing; workspace 10 is for music/media
Right now I can switch to things directly because they are always at the same workplace. Could something like this be replicated with niri? I played with it for a few minutes but found myself getting a bit lost - my keybinds didn’t land me on the things I hoped they would due do the dynamic nature of workspaces
To ask the same question in a different way, how do you prevent windows from getting lost, if a window can be on a workspace, but off-screen?
Niri does have named workspaces, but I’ve never tried them.
Oh, cool, that could do the trick, thank you for pointing that out.
I use Niri and I wholeheartedly agree that Niri is doing much better job technically than the clunky quirky C code in wlroots and Sway. It’s also a nicer user experience overall. Niri is only getting better by the day, leaving stagnating Sway C code in the dust.
Still, I somewhat miss the UX of “tabbed/stacked layouts with nested containers, the least ergonomic Band-Aid™ for the space issue I’ve ever seen” and I don’t agree that containers are a band-aid, even though I agree that they bring their own cognitive load.
On Sway I was never actually using more than five workspaces. A laptop screen + a big 4k screen + tabbed containers were actually a solution to the proliferation of workspaces: I kept a small number of workspaces with an arbitrary number of temporary windows in a tabbed container for a task that I could manipulate as one unit (closing, moving to another workspace, etc). I had to adjust to avoid multiplying windows in a Niri workspace, because I quickly lose track of invisible windows beyond the edges of screen (and Waybar has not been cooperative to display icons only from the current workspace), while on Sway I could see window decorations and titles for every top-level window/container in the workspace at the same time.
Another little annoyance is that I like that Sway workspaces have their own global namespace. I’m used to Sway workspaces 1 and 3 living on the laptop screen, 2 (and rarely 4) on my external monitor by default. When I unplug the external monitor, the workspace 2 (and maybe 4) just migrates to the laptop screen temporarily without changing the numbers, while on Niri workspaces 1 and 2 from the external monitor become something like 4 and 5 on the laptop screen.
Another feature that I’m waiting for is to be able to bind gestures to actions (swiping a workspace to another monitor can be nice).
Still, Niri is just awesome overall, I use it and I highly recommend it.
I’m gonna give Niri a try. Maybe it’ll even fix the bad perf and crashes I’ve had under Sway.
I agree on tabs. I used to have over 20 Sway workspaces, all with tabs. Recently Firefox has started having trouble when I have over 100 windows open, so I’ve had to cut back, and only have 9 workspaces, but I still have lots of tabs and I feel like they make it very quick and easy to find what I’m looking for. But I navigate by mouse. Whenever I happen to need to use the keyboard to navigate my sea of tabs inside tabs, it sucks. Maybe @eBPF always uses keyboard navigation and that’s why they dislike using tabs?
Maybe I’ll implement tabs for Niri if I miss them :laughing:
Edit: wait, Niri already has, I just discovered while trying to get started. Though they’re opposite to what I was envisioning. Niri tabs stack windows inside a single spot in the horizontal infinite scroll, while what I was imagining was a each tab being a container for a separate horizontal workspace.
Yes, it has windows stacked in columns, like in Xmonad.
Woah, actually there’s something new in https://github.com/YaLTeR/niri/issues/933, just a few days after the 25-01 release.
That new thing is what I was referring to :)
The stacking seems only marginally useful to me.
This is the only thing from Sway that I particularly miss on Niri. It makes sense given Niri’s Gnome-like dynamic workspaces, but I like switching between monitors by switching workspace, rather than having a separate system for it.
There is a lot of stagnation in the Linux tiling window manager space these days when it comes to improving and iterating on actual workflows rather than aesthetics, and backwards compatibility continues to be a thorn in everyone’s side.
I’m more active in the Windows twm scene, and I’m seeing (and have personally worked on) attempts to integrate scrolling workflows into “traditional” twms - from my experience I don’t think this is an either/or situation, and the two approaches can co-exist in the same wm fairly well.
I’d be interested in hearing more about this. I recently switched from Sway to Niri on my home machines, but my work is a Windows shop. Here I use PowerToys Fancy Zones, and it’s okay, but I’d like to have a proper tiling WM.
Wow, this is exactly the reaction I kinda imagined when I saw paperwm.
Before doing the switch from awesome to paperwm I found Niri and decided that I’ll move directly to wayland+Niri instead. Though I kinda haven’t had the guts to leave all my X helper scripts behind and actually move to wayland yet…
I guess this is what I needed to actually seriously consider switching to wayland soon. Thanks!
I found paperwm first, and it just really didn’t work for me, leading to me ignoring niri for a fairly significant amount of time by association. This post gave me the nudge to actually try it out, and I’m very pleasantly surprised! Going to be switching to it fully for a while to really get a feel for it, and then decide if I’ll stay definitively.
Curious - what do you like about niri that PaperWM didn’t have – or PaperWM has that niri doesn’t, I guess.
Running smoothly! (+ decoration handling, scaling, shortcut management…) Using PaperWM felt like replacing my touchpad with a cheese grater comparatively (I’m typically a labwc user).
I’ve used both, and there are trade-offs.
With PaperWM, you get all the integration that Gnome provides, mainly in terms of managing hardware devices. You can provide all of this for Niri, and I have (originally for Sway, but it was trivial to bring my Sway configuration over to niri), but there’s no turnkey solution.
On the other hand, niri is much faster and smoother than PaperWM, and less buggy (because PaperWM is forced to keep up with Gnome Shell compatibility and interaction with other extensions). I also find that it handles the interaction between workspaces and multiple displays better than PaperWM.
Generally, I haven’t had many complaints with PaperWM (knocks on wood) or found it to be buggy. I do worry about the keeping up with GNOME – right now development with PaperWM seems active enough, but I can easily see a scenario where the developers move on and it stops working with newer versions of GNOME. If that day comes, I guess I’ll definitely be moving over to niri whether I want to or not.
I love the idea. It is 100% in my wheelhouse and my aesthetic. I want to use this for everything.
However
I probably need to be reminded of this in a year or two.
I might retitle this as “Why Go’s Error Handling Is Not As Bad As People Say”, just because it does make the good point that “Explicit is better than implicit”. That is, exceptions are bad in ways Go’s error handling is not, even if Go’s error handling is bad in ways exceptions are not.
Given a choice, I prefer Result types that require exhaustive handling of error conditions (and I say this as someone who generally dislikes Rust). At work, I use a language that has and widely uses (unchecked) exceptions. In my own code over the last few years, I’ve taken the position that I will never allow exceptions to propagate beyond method scope if the interface is under my control; instead, I will use a Result type wrapping the exception to pass it out to the caller.
This is nice and old-school.
My static site is buckling under the strain of ai scrapers. I wonder when that problem will need addressing at this entry level.
I’m sorely tempted sometimes. I’m not convinced Google remain relevant in search anymore.
I’ve banned Googlebot on my personal site, though only through robots.txt and not the user-agent sniffing I use for other bots. I don’t really care about it being searchable anymore.
If Google isn’t relevant than what is?
Decentralised social media, rss feeds, and stuff built around those things to aid in discovery. Things like Lobsters! But it depends on what you want.
Many (most?) of the non-Google search engines use Bing as their index.
This reminded me about a throwaway paragraph in the Signal crypto review (previously):
I wonder what metadata resistance Signal offers that Wire, through its use of MLS, doesn’t?
The metadata resistance of signal is largely mythical anyway since the necessarily have the metadata via other channels and just pinky promise not to look or store it
A source for this claim would be appreciated.
You can derive it from necessity if you like. Signal server sees the message come in over a network connection from an app. The server must be able to deliver it to a target user. This is the metadata. That the message data on the wire doesn’t contain this metadata doesn’t prevent the server from knowing it, it must know it in order to function at all. Signal has never claimed otherwise they only claim that the server forgets right away. But of course that must be taken on trust
At best, that associates two IP addresses… not withstanding CGNAT, VPNs, MASQUE, and friends.
But it doesn’t associate them with accounts / contacts. That’s a stronger guarantee than Matrix or XMPP. It may also be a stronger guarantee than Wire?
That isn’t true. Signal messages need to be routed by account identifier, an IP address is not sufficient. And unless you have the “sealed sender” feature turned on, messages identify their senders.
There’s no mechanism for the Signal server to know the IP addresses of iOS clients because an iOS device only maintains one persistent connection to Apple for notifications. There’s no way a Signal client can keep track of the IP addresses of its contacts, because it isn’t a mesh network, it’s a star. Even for non-iOS devices, an IP address isn’t sufficient to identify a client because (for example) there are multiple clients in our house and our house has only one IP address.
Sealed sender is also not a good protection if Signal was to actually start keeping logs. There are two sources of metadata leakage with sealed sender:
You need to acquire a sender certificate before you can use sealed sender. If you do this from the same IP as you later use when sending a message, your IP and your identity can be linked.
When you send a message, the receiver sends a delivery notice back to you. This is a simple correlation, a sealed message to Person A on IP address X from IP address Y is immediately followed by a sealed message from IP address X to Person B on IP address Y.
Sealed sender is enabled by default, no?
So it is. As far as I can tell the official documentation for the feature is still this blog post https://signal.org/blog/sealed-sender/ which makes it sound like the feature is incomplete, but the last few paragraphs say they were (in 2018) rolling it out to everyone so I guess the preview was actually the main event.
I just checked in settings. There’s only “show when it’s used” and “allow for even unknown senders” preferences for me, which makes me conclude that it’s already enabled by default and can not be disabled.
Yes, and if you do have Sealed Sender turned on, the only metadata left on the server that’s needed for message delivery is a 96-bit “delivery token” derived from a “profile key” that conveniently rotates whenever you block an account.
My reading of the description of sealed sender is that the delivery token is used check that the sender is allowed to send to the recipient – it’s an anti-abuse mechanism. It is used when the server is deciding whether to accept a message, it isn’t used to decide where to deliver the message.
I was going off the above-linked blog post that dives into the Signal internals.
That is not my reading of the server code for either single or multi-recipient messages. And Signal iOS at least seems to use sealed sender by default, though it falls back to unsealed send if there’s an auth failure, which seems bad. (so the server can force the client to identify itself? … but I also can’t find anywhere that throws
RequestMakerUDAuthError.udAuthFailure, so maybe it’s dead code…)But I admit it’s a very casual reading of the code!
edit: found it!
To say what sibling says in a different way, the connection the message is delivered to the server over must be authenticated. If it weren’t the server would not accept the message, due to spam reasons etc. so the server knows the account of the sender. And it needs to know the account of the receiver for delivery to be possible
I strongly suspect you’ve misunderstood how Signal works. What do you think about https://soatok.blog/signal-crypto-review-2025-part-8/, specifically the addendum section?
That article specifically admits this is true. Signal doesn’t choose to write it down (assuming the published code is what they run) which means it cannot be recovered after the fact (if you trust the server to not have recorded this) of course any other operator could also not write this down and one could choose to trust that operator. It’s not specific to signal really.
I believe we agree that the server must know the recipient of a message. I believe we disagree about whether the server needs to know the sender of a message.
Erm, so what do you mean by authenticated?
That article notes the sender’s metadata is (e2e) encrypted. The server accepts and routes messages whose envelope includes a delivery token. And, similarly, that delivery token is shared via e2e encrypted sessions to all a recipient’s contacts.
It’s unclear to me how unknown senders / randos are handled, however. I haven’t read that deep into the code.
Sure, that’s fair.
But I was hoping your claim was more substantial than just this, since, as since child comment below says, almost all signal competitors suffer from this.
Not just almost all. It is fundamentally impossible for a communications system to operate if whoever does the routing doesn’t know sender and receiver identity at some point (and send/receive time, which is also metadata)
If you do onion routing you could make it so only one part knows sender and one part knows receiver, which is how the remailer network worked but that’s the only instance I’m aware of doing that. Everyone else has the metadata and it’s just various shades of promising not to write it down.
Aren’t there protocols for deniable drop offs on servers and similar? Those wouldn’t scale well, but AFAIK they work. So they are possible (just not practical).
There is SecureDrop, but as far as the technology is concerned it’s a web app accessed via Tor. The rest of the anonymity guarantees come from server-side opsec performed by the recipient org https://docs.securedrop.org/en/stable/what_is_securedrop.html
SimpleX is a chat system that does onion routing. Only two hops, and I am not vouching for anything about the app or its servers; just noting this feature.
They were also recently audited by Trail of Bits, so SimpleX is probably not clownshoes.
This level of metadata leakage (IP addresses) is also true of nearly every so-called Signal competitor too.
No one claimed otherwise. The context is the claim expressed above that you get worse metadata resistance than Signal, which seems irrelevant given that Signal doesn’t really have it either.
Sorry. I hear this line of argument on Hacker News and Reddit a lot, only for the person to turn around and recommend XMPP or Matrix instead. I wanted to cut it off at the pass.
Look at zkgroup for a deep dive into that question.
Planned and enforced obsolescence via certificates.
This is the future the “HTTPS everywhere” crowd wants ;)
It will be interesting to see if Google fixes this. On the one hand, brand value. On the other, it’s a chance to force purchase of new hardware!
Not me. I want HTTPS Everywhere and I also don’t want this.
What’s your marketing budget? If you aren’t aligned with the marketing budget havers on this, how do you expect them to treat you when your goals diverge?
See also, fast expiring certificates making democratized CT logs infeasible, DNS over HTTPS consolidating formerly distributed systems on cloudflare. It’s not possible to set up a webpage in 2025 without interacting with a company that has enough money and accountability to untrustworthy governments to be a CA, and that sucks.
HTTPS is cool and all, but I wish there was a usable answer that wasn’t “just centralize the authority.”
Sigh. Lobsters won’t let me post. I must be getting rate limited? It seems a bit ridiculous, I’ve made one post in like… hours. And it just shows me “null” when I post. I need to bug report or something, this is quite a pain and this is going to need to be my last response as dealing with this bug is too frustrating.
Can you tell me more about these? I think “infeasible” is not accurate but maybe I’m wrong. I don’t see how DoH consolidates anything as anyone can set up a DoH server.
You can definitely set up a webpage in 2025 pretty with HTTPS, especially as you can just issue your own CA certs, which your users are welcome to trust. But if your concern is that a government can exert authority within its jurisdiction I have no idea how you think HTTP is helping you with that or how HTTPS is enabling that specifically. These don’t feel like HTTPS issues, they feel like regulatory issues.
There are numerous, globally distributed CAs, and you can set one up at any time.
Lobsters has been having some issues, I had the same trouble yesterday too.
The CT log thing is something i read on here iirc, basically that CT logs are already pretty enormous and difficult to maintain, if there are 5x as many cert transactions cause they expire in 1/5 the time the only people who will be able to keep them are people with big budgets
I suppose i could set up a DoH server, but the common wisdom is to use somebody else’s, usually cloudflare’s, the fact that something is technically possible doesnt matter in a world where nobody does it.
Are you joking? “please install my CA cert to browse my webpage” may technically count as setting up a web page but the barrier to entry is so high I might as well not. Can iphones even do that?
That’s a lot more centralized than “I can do it without involving a third party at all.”
I dunno, maybe I’m just romanticizing the past but I miss being able to publish stuff on the internet without a Big Company helping me.
Strange but I will have to learn more.
Sure, because that’s by far the easiest option and most people don’t really care about centralizing on Cloudflare, but nothing is stopping people from using another DoH.
iPhones being able to do that isn’t really relevant to HTTPS. If you want to say that users should be admins of their own devices, that’s cool too.
As for joking, no I am not. You can create a CA, anyone can. You don’t get to decide who trusts your CA, that would require work. Some companies do that work. Most individuals aren’t interested. That’s why CAs are companies. If you’re saying you want a CA without involving any company, including non-profits that run CAs, then there is in fact an “open” solution - host your own. No one can stop you.
You can run your own internet if you want to. HTTPS is only going to come up when you take on the responsibility of publishing content to the internet that everyone else has to use. No one can stop you from running your own internet.
As opposed to running an HTTP server without a third party at all? I guess technically you could go set up a server at your nearest Starbucks but I think “at all” is a bit hard to come by and always has been. Like I said, if you want to set up a server on your own local network no one is ever going to be able to stop you.
What did that look like?
I want the benefits of HTTPS without the drawbacks. I also want the benefits of DNS without the drawbacks.
On the one hand, I am completely sincere about this. On the other, I feel kind of foolish for wanting things without wanting their consequences.
Which drawbacks? I ask not because I believe there are none, but I’m curious which concern you the most. I’m sympathetic to wanting things and not wanting their consequences haha that’s the tricky thing with life.
HTTPS: I want the authentication properties of HTTPS without being beholden to a semi-centralized and not necessarily trustworthy CA system. All proposed alternatives are, as far as I know, bad.
DNS: I want the convenience of globally unique host names without it depending on a centralized registry. All proposed alternatives are, as far as I know, bad.
These kind of accusations are posts that make me want to spend less on lobsters. Who knows if it’s planned or accidental obsolescence? Many devices and services outlive their teams by much longer than anticipated. Everyone working in software for a long while has experienced situations like those. I also find the accusation that HTTPS is leading to broken devices rather wild…
I want to offer a different view: How cool is it that the devices was fixable despite Google’s failure to extend/exchange their certificate. Go, tell your folks that the Chromecast is fixable and help them :)
For me, it’s takes like yours that irritate me. Companies that are some of the largest on the planet don’t need people like you to defend them, to make excuses for them, to try to squelch the frustration directed towards them because they’re either evil or incompetent.
By the way, there is no third option - either they’re evil and intended to force obsolescence upon these devices, or they’re incompetent and didn’t know this was going to happen because of this incompetence.
The world where we’re thinking it’s cool that these devices are fixable tidily neglects the fact that 99% of the people out there will have zero clue how to fix them. That it’s fixable means practically nothing.
Who cares? No one is defending Google. People are defending deploying HTTPS as a strategy to improve security. Who cares if it’s Google or anyone else? The person you’re responding to never defends Google, none of this has to do with Google.
Who cares? Also, there is a very obvious 3rd option - that competent people can make a mistake.
Nothing you’ve said is relevant at all to the assertion that, quoting here:
Even though you’re quoting me, you must be mistaken - this post is about Google, and my response was about someone who is defending Google’s actions (“Who knows if it’s planned or accidental obsolescence?”).
I haven’t a clue how you can think that a whole post about Google breaking Google devices isn’t about Google…
To the last point, “https everywhere” means things like this can keep being used as an excuse to make fully functional products in to ewaste over and over, and we’re left wondering if the companies responsible are evil or dumb (or both). People pretending to not get the connection aren’t really making a good case for Google not being shit, or for how the “https everywhere” comment is somehow a tangent.
Nope, not mistaken. I think my points all stand as-is.
Take what you want from my employment by said company, but I would guess absolutely no-one in private and security has any wish/intention/pressure to not renew a certificate.
I have no insider knowledge about what has happened (nor could I share it if I did! But I really don’t). But I do know that the privacy and security people take their jobs extremely seriously.
Google has form in these matters, and the Chromecast as a brand even has an entry here:
https://killedbygoogle.com/
But in the future I’ll be more polite in criticizing one of the world’s biggest companies so that this place is more welcoming to you.
This isn’t about who you criticize, I would say the same if you picked the smallest company on earth. This is about the obvious negativity.
This is because the article isn’t “Chromecast isn’t working and the devices all need to go to the trash”. Someone actually found out why and people replied with instructions how to fix these devices, which is rather brilliant. And all of that despite google’s announcements that it would discontinue it..
I’m not exactly sure what you meant by that, and even the winky face doesn’t elide your intent and meaning much. I don’t think privacy and security advocates want this at all. I want usable and accessible privacy and security and investment in long term maintenance and usability of products. If that’s what you meant, it reads as a literal attack rather than sarcasm. Poe’s law and all.
Not all privacy and security advocates wanted ‘HTTPS everywhere’. Not all of the ‘HTTPS everywhere’ crowd wanted centralized control of privacy and encryption solutions. But the privacy and security discussion has been captured by corporate interests to an astonishing degree. And I think @gerikson is right to point that out.
Do you seriously think that a future law in the US forcing Let’s Encrypt (or any other CA) to revoke the certificates of any site the government finds objectionable is outside the realms of possibility?
HTTPS everywhere is handing a de facto publishing license to every site that can be revoked at will by those that control the levers of power.
I admit this is orthogonal to the issue at hand. It’s just an example I came up with when brewing some tea in the dinette.
In an https-less world the same people in power can just force ISPs to serve different content for a given domain, or force DNS providers to switch the NS to whatever they want, etc. Or worse, they can maliciously modify the content you want served, subtly.
Only being able to revoke a cert is an improvement.
Am I missing something?
Holding the threat of cutting off 99% of internet traffic over the head of media companies is a great way to enforce self-censorship. And the best part is that the victim does all the work themselves!
The original sin of HTTPS was wedding it to a centralized CA structure. But then, the drafters of the Weimar constitution also believed everything would turn out fine.
They’ve just explained to you that HTTPS changes nothing about what the government can do to enact censorship. Hostile governments can turn your internet off without any need for HTTPS. In fact, HTTPS directly attempts to mitigate what the government can do with things like CT logs, etc, and we have seen this work. And in the singular instance where HTTPS provides an attack (revoke cert) you can just trust the cert anyways.
edit: Lobsters is basically completely broken for me (anyone else just getting ‘null’ when posting?) so here is my response to the reply to this post. I’m unable to reply otherwise and I’m getting no errors to indicate why. Anyway…
This is getting ridiculous, frankly.
You’ve conveniently ignored everything I’ve said and focused instead of how a ridiculous attack scenario that has an obvious mitigation has 4 words that somehow you’re relating to SCOTUS and 1st amendment rights? Just glossing over that this attack makes almost no sense whatsoever, glossing over that the far easier attacks apply to HTTP at least as well (or often better) as HTTPS, glossing over the fact that even more attacks are viable against HTTP that aren’t viable against HTTPS, glossing over that we’ve seen CT logs actually demonstrate value against government attackers, etc etc etc. But uh, yeah, SCOTUS.
SCOTUS is going to somehow detect that I trusted a certificate? And… this is somehow worse under HTTPS? They can detect my device accepting a certificate but they can’t detect me accessing content over HTTP? Because somehow the government can’t attack HTTP but can attack HTTPS? This just does not make any sense and you’ve done nothing to justify your points. Users have been more than charitable in explaining this to you, even granting that an attack exists on HTTPS but helpfully explaining to you why it makes no sense.
Going along with your broken threading
My scenario was hypothetical.
In the near future, on the other side of an American Gleichschaltung, a law is passed requiring CAs to revoke specific certificates when ordered.
If the TLS cert for CNN.com is revoked, users will reach a scary warning page telling the user the site cannot be trusted. Depending on the status of “HTTPS Everywhere”, it might not be able to proceed past this page. But crucially, CNN.com remains up, it might be accessible via HTTP (depending on HSTS settings) and the government has done nothing to impede the publication.
But the end effect is that CNN.com is unreadable for the vast number of visitors. This will make the choice of CNN to tone down criticism of the government very easy to make.
The goal of a modern authoritarian regime is not to obsessively police speech to enforce a single worldview. It’s to make it uneconomical or inconvenient to publish content that will lead to opposition to the regime. Media will parrot government talking points or peddle harmless entertainment. There will be an opposition and it will be “protected” by free speech laws, but in practice accessing its speech online will be hard to impossible for the vast majority of people.
I feel like your entire argument hinges on this and it just isn’t true.
If the USA apparatus decides to censor CNN, revoking TLS cert wouldn’t be the way. It’ll be secret court orders (not unlike recent one British government has sent to Apple), and, should they not comply, apprehension of key staff.
And, even if such cert revocation happened, CNN would be able to get new one within seconds by contacting any other ACME CA, there are even some operating in EEA.
I think your whole argument is misguided, and not aimed at understanding failures of Google, but at lashing at only tangentially related problem space.
And my comment is not defence of Google or Cloudflare, I consider both to be malicious for plethora of reasons.
You’re still thinking like the USSR or China or any totalitarian government. The point isn’t to enforce a particular view. The point is to prevent CNN or any other media organization from publishing anything other than pablum, by threatening their ad revenue stream. They will cover government talking points, entertainment, even happily fake news. Like in Russia, “nothing is true and everything is possible”.
Nothing is preventing the US from only allowing certs from US based issuers. Effectively, if you’re using a mainstream browser, the hypothetical law I have sketched out will also affect root CAs.[1]
I proposed a semi-plausible failure mode of the current CA-based certification system and suddenly I’ve gotten more flags than ever before. I find it really interesting.
[1] note that each and every one of these attempts to block access will have quite easy and trivial workarounds. That’s fine, because as stated above, having 100% control of some sort of “truth” is not the point. If nerds and really motivated people can get around a block by installing their own root store or similar, it will just keep them happy to have “cheated the system”. The point is having an atomized audience, incapable of organizing a resistance.
The flags are me and they’re because your posts have been overwhelmingly low quality, consisting of cherry picking, trolling, rhetoric, and failing to engage with anyone’s points. You also never proposed any such attack, other users did you the favor of explaining what attack exists.
The closest thing you’ve come to defining an attack (before others stepped in to hand you one) is this:
It’s not that interesting why you’re getting flagged. IMO flags should be required to have a reason + should be open, but that’s just me, and that’s why I virtually always add a comment when I flag a post.
This is one of the only posts where you’ve almost come close to saying what you think the actual problem is, which if I very charitably interpret and steel-man on your behalf I can take as essentially “The US will exert power over CAs in order to make it hard for news sites to publish content”. This utterly fails, to be clear (as so many people have pointed out that there are far more attacks on HTTP that would work just as well or infinitely better, and as I have pointed out that we have seen HTTPS explicitly add this threat model and try to address it WITH SUCCESS using CT Logs), but at least with enough effort I can extract a coherent point.
I have around 30 flags right now in these threads (plus some from people who took time off their busy schedule to trawl through older comments for semi-plausible ones to flag). You’re not the only one I have pissed off.[1]
(I actually appreciate you replying to my comments but to be honest I find your replies quite rambling and incoherent. I guess I can take some blame for not fully cosplaying as a Project 2025 lawyer, instead relying on vibes.)
It’s fine, though. I’ve grown disillusioned by the EFF style of encryption boosting[2]. I expect them to fold like a cheap suit if and when the gloves come off.
[1] but I’m still net positive on scores, so there are people on the other side too.
[2] they’ve been hyperfocussed on the threat of government threats to free speech, while giving corporations a free pass. They never really considered corporations taking over the government.
Hm, I see. No, I certainly have not flagged all of your posts or anything, just 2 or 3 that I felt were egregious. I think lobsters should genuinely ban more people for flag abuse, tbh, but such is the way.
It’s interesting that my posts come off as rambly. I suppose I just dislike tree-style conversations and lobsters bugs have made following up extremely annoying as my posts just disappear and show as “null”.
I’ve been getting the “null” response too. There’s nothing in the bug tracker right now, and I don’t have IRC access. Hopefully it will be looked at soon.
As to the flags, people might legitimately feel I’m getting too political.
Genuine question, is this aimed at me?
Nope. Unless you are a lawyer for Project 2025.
Yeah, “trust the cert anyway” is going to be the fig leaf used to convince a compliant SCOTUS that revoking a certification is not a blatant violation of the 1st amendment. But at least the daily mandatory webcast from Dear Leader will be guaranteed not to be tampered with during transport!
Wouldn’t you agree that certificate transparency does a better job detecting this kind of thing than surreptitiously redirecting DNS would?
The point of this hypothetical scenario would be that the threat of certificate revocation would be out in the open, to enforce self-censorship to avoid losing traffic/audience. See my comment here:
https://lobste.rs/s/mxy0si/chromecast_2_s_device_authentication#c_lyenlf
Flagged as trolling. I’m also extremely critical of Google’s killing of various services.
I’m not sure any of those are good examples of planned obsolescence. As far as I can tell, they’re all services that didn’t perform very well that Google didn’t want to support, tools that got subsumed into other tools, or ongoing projects that were halted.
I think it’s reasonable to still wish that some of those things were still going, or that they’d been open-sourced in some way so that people could keep them going by themselves, or even that Google themselves had managed them better. But planned obsolescence is quite specifically the idea that you should create things with a limited lifespan so that you can make money by selling their replacements. As far as I can tell, that doesn’t apply to any of those examples.
Trust Google to not even manage to do planned obsolescence right either…
Please refrain from smirky, inflammatory comments.
I get that it’s a tongue in cheek comment, but this is what falls out of “we want our non-https authentication certificates to chain through public roots”.
There is no reason for device authentication to be tied to PKI - it is inherently a private (as in “only relevant to the vendor” , not secret) authentication mechanism so should not be trying to chain through PKI, or PKI-like, roots.
Hyperbole much? Sometimes an expired certificate is just an expired certificate
Why is this a hyperbole? It is clear that even an enterprise the size of Google, famous for it’s leetcode-topping talent is unable to manage certificates at scale. This makes it a pretty good point against uncritical deployment of cryptographic solutions.
Microsoft let microsoft.com lapse that one time. Should we give up on DNS?
When Microsoft did that I wasn’t standing embarrassed in front of my family failing to cast cartoons on the TV. So it was their problem, not my problem.
(It is still bricked today btw)
No one has ever argued for “uncritical deployment” of any solution, let alone cryptographic ones.
Maybe I’m reading too much into “HTTPS everywhere” then.
Maybe. I think there are two ways to interpret it - “HTTPS Everywhere” means “literally every place” or it means “everywhere that makes sense, which is the vast majority of places”. But, to me, neither of these implies “you should deploy in a way that isn’t considered and that will completely destroy a product in the future”, it just means that you should very likely be aiming for a reliable, well supported deployment of HTTPS.
I was replying more to the “planned and enforced obsolescence” conspiracy theorizing.
It is true that managing certificates at scale is something not a lot of large organizations seem to be able to pull off, and that’s a legitimate discussion to have… but I didn’t detect any good faith arguments here, just ranting
I like this idea! Do you think it’s extreme to try and implement dark/light mode using static HTML? I can’t seem to find a good workaround for a javascript-less solution to give people the option to choose to deviate from their system preference.
But it sure feels like overkill to generate a copy of each page just to avoid making someone enable JS to change the colors on their screen… which I don’t even do because I prefer everything in dark mode anyway.
There’s a CSS-only way (using a heavily restyled checkbox) to toggle other CSS attributes:
Today I learned that
light-dark()is a thing! Thanks!I’m using a similar idea for my own dark mode checkbox: https://isuffix.com (website is still being built).
GP comment might enjoy more examples of CSS
:has()in this blog post: https://www.joshwcomeau.com/css/has/I don’t understand why so many web sites implement a dark mode toggle anyway. If your page uses CSS conditionally on
prefers-color-schemeto apply a light theme or dark theme depending on the user’s system preference, why isn’t that enough?For example, if the user is looking at your page in light theme and suddenly they think their bright screen is hurting their eyes, wouldn’t they change their system preference or their browser’s preference to dark? (If they don’t solve the problem by just lowering their screen brightness.) After they do so, not only your page but all their other apps would look dark, fixing their problem more thoroughly.
For apps (native or web) the user hangs around in for a long time, I can see some reasons to allow customizing the app’s theme to differ from the system’s. A user of an image editing app might want a light or dark mode depending on the brightness of the images they edit, or a user might want to theme an app’s windows so it’s easily recognizable in their window switcher. But for the average blog website, these reasons don’t apply.
I am curious about how many people use it as well. But it certainly is easier to change by clicking a button in your window than going into your system or browser settings, which makes me think that it would be nice to add. Again, for the imagined person who decides to deviate from their system preference.
Although you’ve made me realize that even thinking about this without putting work into other, known-to-be-used accessibility features is kind of ridiculous. There is lower hanging fruit.
Here’s a concrete example. I generally keep my browser set to dark mode. However, when using dark mode, the online training portal at work switches from black text on a white background to white text on a white background. If I wanted to read the training material, I would need to go into my browser settings and switch to light mode, which then ruins any other tab I would switch to.
If there was a toggle button at the training portal, I could switch off dark mode for that specific site, making the text readable but not breaking my other tabs. Or, if the training portal at work won’t add the button, I could at least re-enable dark mode in every tab whose site had added such a toggle.
Or, hear me out, instead of adding javascript to allow users to work around its broken css, the training portal developers could fix its css?
(Browsers should have an easy per-site dork mode toggle like the reader mode toggle.)
I feel like this is something to fix with stylus or a user script, maybe?
sounds like the button fixes it
Sure, but only on sites that provide a button. It seems a little silly that one bad site should mean that you change your settings on every other site / don’t have your preferred theme on those sites.
Or the DarkReader extension or similar.
Given how widely different colour schemes can vary, even just within the broad realms of “light” and “dark”, I can imagine some users would prefer to see some sites in light mode, even if they want to see everything else in dark mode. It’s the same reason I’ve set my browser to increase the font size for certain websites, despite mostly liking the defaults.
It would be nicer if this could be done at the browser level, rather than individually for each site (i.e. if there was a toggle somewhere in the browser UI to switch toggle between light/dark mode, and if the browser could remember this preference). As it is, a lot of sites that do have this toggle need to either handle the preference server-side (not possible with static sites, unnecessary cookies), handle the preference client-side (FOUC, also unnecessary cookies), or don’t save the preference at all and have the user manually toggle with every visit. None of these options are really ideal.
That said, I still have a theme switcher on my own site, mostly because I wanted to show off that I made two different colour schemes for my website, and that I’m proud of both of them… ;)
I remember the days when you could do
<link rel="alternate stylesheet" title="thing" href="...">and the browser would provide its own nice little ui for switching. Actually, Firefox still does if you look down its menu (view -> page style), but it doesn’t remember your preference across loads or refreshes, so meh, not a good user experience. But hey, page transitions are an IE6 feature coming back again, so maybe alternate stylesheets will too someday.The prefers dark mode css thing really also ought to be a trivial button on the browser UI too. I’m pretty sure it is somewhere in the F12 things but I can’t even find it so woe on the users lol.
But on the topic in general too, like I think static html is overrated. Remember you can always generate html on demand with a trivial program on the server with these changes and still use all the same browser features…
I’ve been preparing something like this. You can do it with css pseudo selectors and a checkbox:
:root:has(#checkbox-id:checked)or so; then you use this to either ‘respect’ the system theme, or invert it.The problems I’m having with this approach:
Yeah, I think I saw the checkbox trick before, but the problems you outline make the
site/page/darkandsite/page/lightsolution seem more enticing, since they can avoid especially the state reset issue. I like the idea of respecting/inverting the system theme as a way of preserving a good default, though!Yeah, as an alternative, for the state issue I was thinking of using a cookie + choose the styles based on it, but that brings a whole host of other “issues”
Not as an OSS maintainer, but I have been asked to do something pretty ridiculous by a nonprofit in their interview process: fix an actual reported bug in their OSS codebase. Bug got fixed, test passed, my code lives in their project forever, I did not get hired.
Well, thank you for your service.
Oh sheesh.
I have been a professional software developer for 20 years. I like to think of myself as being up on the world of web technologies. And I just truly don’t understand how I’m supposed to use a web app offline. How do I get to it to use it? Am I the only one who has this disconnect of usability? Because I love this, but it’s never made sense to me.
Theoretically, you use the web app once online. The app is cached forever, and works on local data from there on out, and syncs local data to the server when you’re online.
In practice, nothing is ever cached when you need it to be, so you have a store of offline data that you can only use when you’re online to reach the app. (This ought to be fixed by now, by putting everything the app needs to start up in the service worker, but it still seems like it always goes wrong somehow.)
It seems to me like browsers aren’t really made to handle “owning” data, it’s all set up and designed with the assumption that the source of truth is somewhere else. I’d never trust a browser to be the only place where something important was saved. But perhaps that’s just me?
I think the idea is generally that local storage is only a temporary cache, and gets synced with the server when online. “Local-first” isn’t local-only!
Often, as a user, I’d rather have a somewhat fragile local cache than no functionality at all when I go offline for a bit. But of course that depends on the app domain.
But, it’s an interesting idea… would you trust a browser-based app that used (say) a local sqlite db rather than LocalStorage, and didn’t have a server-based backing store at all?
Yet another alternative to having a server side is tiddlywiki-style self-replicating single-file programs that simply happen to run in a web browser.
I like it. Just “Save Page As…” and done. Add lightweight peer discovery and a replication protocol, and that could be a very interesting evolutionary niche.
Intertwingled, eh? Meanwhile the original Xanadu says “WE FIGHT ON”. I’d be more interested in the cult of Nelson if this community wasn’t so doggedly doubled-down on commercial licensing and weird ideas about copyright.
Somewhere between absolutely not and probably not. The browsers themselves is the part I don’t trust. Safari will nuke your site’s storage after some number of days without use, so it’s unacceptable to rely on local only approach for that browser. Beyond that their IndexedDB implementation is buggy and those bugs have been unfixed for years.
In Android device manufacturers sometimes purge the browser storage when the device is low on disk.
Firefox keeps “local files” locked inside the “origin private file system (opfs)” so you still can’t back up your data easily, even though they’re supposedly the browser of user freedom, allowing a user to store actual local files in the real file system is Too Dangerous.
Only chrome provides an API that will let a browser app read & write to a file or directory that actually exists in the real world.
So maybe I would trust that local only app in chrome.
You visit the url, but the browser doesn’t load those direct from the web these days but instead asks the service worker what to do first. The service worker provider the stored asset and it works even though you have no internet
No, it kept web pages from running heavy local-first computing. Native apps have been capable of this for quite a long time.
This article is pretty egregious in conflating “client” with “web browser”, which is a pet peeve of mine.
Web developers will adopt complex new storage and synchronization APIs rather than
go to therapywrite native apps.I think it’s more like application developers will go to some lengths to only have to support one broadly accessible platform rather than about five (iOS, Android, macOS, Windows, and “linux” as though it were only one target. Sorry BSD folks and other OS super-minorities). I can’t really blame them.
I am a solo dev at a small company. I develop and maintain a CRUD app that magically works on iPads, phones, desktops, barcode scanners etc. All thanks to… just being a website.
I still broadly agree that native is preferable though
Websites:
Obviously there’s a lot of benefits to native applications too, but it’s not like there’s no reason to prefer browsers as an application platform.
A Few more:
Seriously. While reading this I was thinking yes, I have seen this movie. Outlook/Exchange started going around this circle 25 years ago. Local storage makes the UI super fast, and search works great. But then you have to sync, which means you have conflicts, which are in general impossible to solve without interrupting and confusing the user and doing a ton of work to solve cases the product people don’t want to think about. So in the name of sanity you go back to remote storage. Now the illusion of consistency is easier to maintain, but the UI is high-latency and freezes all the time, and the backend is baking client behavior into their APIs all over the place. Sentiment turns the other way and somebody funds the project to flip back to local storage (usually as if they just invented the idea). Repeat forever.
I mean, heck, if you want to go back to 1990, this is the NFS vs. AFS argument.
I’m strongly in the local-first camp. I recognize the problems you describe, but we’re getting better at dealing with them.
Seems like there has been a lot of progress on better theoretical underpinnings (CRDTs etc.), which presumably is a good thing.
I’ve never been asked to do anything for free by any company.
I guess my projects aren’t popular enough :’)
I specifically spend my copious free time on ridiculous niche projects in a niche language so that no one ever asks for support.
Same here. More the opposite: companies wanting to pay me to do things on open source projects I’m no longer particularly interested in. Maybe it’s just that I don’t do much directly user-facing stuff and so the people at companies I deal with are developers who understand the effort required to do what they wanted, but most of my interactions with companies from the F/OSS side have always been them asking some variant of ‘we really need this {feature,bug fix}, how much would it cost for you to do it for us?’.
I think most of the issues the author has are solved, or are in the process of being solved, by Forgejo.
I host Forgejo myself for personal repos and I’m very happy with it. It’s 100% open source, copy-left even.
Forgejo is a single binary written in Go. It’s pretty light on resources, I’m running it on a Raspberry Pi 4. It’s easy to install, but there are a couple setup steps. Creating the git user, setting a handful of config options, setting up the systemd service. It’s not a huge deal, but I do think this can be improved if distributions start picking up Forgejo and packaging it properly.
I use Fedora and they have announced they want to move to Forgejo for all their git hosting needs. I hope this will lead to a package in the official repos, I’d love that.
You don’t need an account to do any of the things that are possible with a bare repo. You can even do more without an account. For example, you can check all the discussions in issues and pull requests as the author mentions. You only need an account for stuff that’s not possible at all with a bare repo, this functionality is purely additive. All the other workflows like sending a mail with a url to a fork and the name of a branch are still possible with a forge! You are circumventing the workflow the forge is offering you, but there is no law against that.
Also, Forgejo is working on federation, so that might improve even further in the future. But I can’t give Forgejo points for it before it actually exists.
The author corrected themselves here, so kudos to them. Just like with GitLab, you can turn off almost all features of a repository. Forgejo even let’s you disable the code section, which I have done for my “notes” wiki. So, everything about the notes repo is hidden, except the wiki.
In conclusion, I don’t think hosting a bare repo is bad, but I do think you’re missing out if you do that. Forgejo often surprises me with features I didn’t know I wanted. Builtin container registry? Awesome, that in combination with Podman+Quadlet is by far the simplest deployment workflow for custom apps that’s fully open-source and self-hosted I have yet to discover. And I didn’t even know about it when I started hosting Forgejo.
If you want to have contributions coming from people, they need an account. If they want to comment in some PR/MR or issue, they need an account.
So if you want any collaboration on the project, they need an account or you need to setup secondary service for discussions without need for an account. Forgejo in current state is nice for solo or cathedral-style projects. Not really for bazaar-style projects.
None of that addresses my point: You can do everything with Forgejo you can do with a bare git repo and there is no requirement to use any of the purely additive features that require an account. If you think Forgejo is unsuitable for bazaar-style collaboration, then so is a bare git repo.
This is technically true, but I’ve never seen a Forgejo-hosted repo (other than my own) where the maintainer was willing to accept patches over email. They probably do exist somewhere, but they are unusual. Almost everyone using Forgejo wants you to also use Forgejo.
True. But that’s because they dislike email, not because Forgejo is putting some kind of obstactle in their way to accept patches via email.
What can you do with Forgejo without an account that you can’t do with a bare repo?
Probably not a lot that people universally benefit from. But a lot of situational stuff.
First of all, the person hosting Forgejo is getting a lot more features (presumably one makes an account at least for themselves). You can do your own issue tracking, I like to work that way. It’s basically just a project-scoped todo list for me. You can push your own releases, e.g. I might want to cross-compile for ARM on my x86 machine so I can later download it on my raspberry pi. Or a rendered typst document that you want to share with people by sending them a link. You have your own container registry, which is extremely convenient for self-hosting your custom apps. Plus a bunch of language-specific registries (that’s more relevant for orgs I suppose, who want to have private libraries). You get the wiki in case you like that. As mentioned I basically use a “notes” repo with only the wiki activated as my notes app (not luxurious, but handy). You can also host a Forgejo actions runner if you want to build your own CI/CD.
Other people may benefit depending on how the host uses Forgejo. If the host uses Forgejo like a bare repo, then yeah, the benefit is small. (I would say it’s at least a much nicer UI for browsing code, history, diffs and so on.) If the host makes releases, publishes containers, they could benefit that way. The issue tracker can tell people what the host is planning to work on.
In conclusion, the benefits are situational. You may conclude for yourself that there’s not much for you to benefit from hosting Forgejo and that’s fine.
Thank you for the detailed explanation. I don’t think those things would be of interest to the author (based on this blog post, anyway) but I can see how they would be handy if you didn’t already have your own alternatives.
I plan to start self-hosting again sometime so it’s interesting to learn how different people do it.
Yeah, federation would solve some of my pain points with Forgejo, because I’m unwilling to open up account creation on my instance, or to have people ask me to make them accounts. Basically, my Forgejo makes my issue tracker public to read, and I will copy in bug reports or comments from email. I also take contributions by email, the same as if I had a bare git repo and gitweb. I guess I do find it kind of more convenient to manage than gitweb, too.
I’m not sure Forgejo would solve any problems OP has, but it wouldn’t make them worse, either.
I have a hard time imagining that federation will provide better UX compared to what a decent desktop app for managing patches via email could provide. The contribution flow, if it’s like mastodon, is going to be confusing. Users will also need to have an account somewhere to contribute, and if they find a PR or issue they want to contribute on a different server (say via a link), they will need to go back to their own instance and find the repository there. I hate that about mastodon, where if someone links me to a profile that I want to follow, I need to go back to my own instance and find that user again. Not to mention all the extra work Forgejo will need to re-implement that was handled by email providers such as handling spam.
Yeah, I have no idea what federation could look like, so I’m cautiously pessimistic.
PLAESE tell me about any apps you know that make email-based workflows bearable. I’M BEGGING YOU.
I’m using aerc at the moment because most GUI clients seem to hate plain text and bottom posting. The TUI is nice, I got the keybinds configured like Helix… but… it’s still email.
Unfortunately aerc (outside of emacs) is one of the better clients. I just think it’s less effort and the end result would be better end if the focus was a new interface for git and email rather than extending git with activitypub and building an interface for that extension.
Naming is hard but there’s already a well established Lynx in the Web space.
What they mean by “native” is you write JavaScript, (a subset of) HTML, and (a subset of) CSS that they render into the platform’s standard elements. See Behind the Elements: Native Rendering.
So naming is doubly hard, but this one can be blamed on Facebook’s React Native.
I don’t have opinions about the project itself, I just wanted to know where the overtone window for “native” is nowadays.
You mean the Overton Window, but I like your malapropism. (And/or you’ve made a joke that’s too fancy for me.)
Thanks! It was a mere typo. I knew it was the name of the person that coined it but didn’t stop and think when writing.
I also initially thought of the Lynx browser.
Thanks for the link to https://micro.blog/, it looks intriguing. You don’t mention SSGs + static hosting, but I think they’ve gotten pretty accessible and there are lots to choose from, one can mix and match and even move between hosts without too much trouble, if you own a domain. I think that’s sort of the natural way to approach the simple web.
But… people want to be able to leave comments, and there’s the rub. A comment can be (in my mind anyway) even below the “micro-blog post” threshold, but its context is fixed to a post, or perhaps to other comments. A commenting system pretty much requires identity management of some form, and then moderation… it gets complicated pretty quickly, and user expectations for feature sets have risen quite a bit since the early days of forums. There are several comment systems I’m aware of that are reasonable enough to add to a static blog, but then you have a third party. Or perhaps you can self-host on a little VPS, but then it’s no longer static-simple. Either way, real-time commenting exposes you to some risk, and requires constant moderation effort.
I’m fond of the old-fashioned, anonymity preserving, moderate-before-publish paradigm, but it’s too slow and too much effort for all but the smallest conversation. You can encourage people to publish “comments” about your blog on their own blogs, and thus sidestep moderation, but that’s much less accessible and gets disjointed quickly. Or you can just let a “social network” take care of all that, but then you lose discoverability and control. I wish I knew of a better way.
When I’ve dabbled in having comments I’ve been disappointed in the quality. IMO it’s not worth all the downsides you mention. I’d encourage bloggers to provide an easy-to-find email address, and I’d encourage readers of blogs to consider sending an email even if it’s “hey, I really liked this post!” As a long-time small-fish tech blogger these conversations do happen sometimes and they’re quite fun. Not all our discussions need to double as public performance art à la microblogging. :)
That said, when you do want to comment on something publicly the link-and-comment-in-own-post approach you mention is nice too. As a reader I don’t think it’s too bad to follow the backlinks. It’s gently applying a little structure ad-hoc where it’s needed rather than forcing all conversation into a threaded system to begin with.
A put my email address a few different places, plus I send out a newsletter.
A handful of times each year I get a genuine handwritten email from someone. It’s always a delight and I try to respond with as much effort as they put in to their message.
I wish I got a bit more of those random outreaches.
I feel like you might be interested in smallweb: https://www.smallweb.run/
Smallweb tries to make creating dynamic websites as painless as static ones. No build / deploy step, you just create a folder in you internet folder and it instantly available at
https://<folder>.<domain>. To switch between hosts, you can just rsync the an app folder between different smallweb instances, or even the whole smallweb folder.There is a live demo available at https://demo.smallweb.live
Check out: https://bearblog.dev/ too
Easy enough even on a static site e.g.: https://discourse.gohugo.io/t/static-comments-script-for-hugo-in-php/51924/2
Editted the post to include Bear Blog <3 thanks for reminding me of it.
Thanks for the kind words. I been considering starting a little monthly zine just to surface cool blogging stuff. SSGs alone number in the hundreds at this point. I do mention Jekyll in the post though which is a SSG.
You can have “comments” without too much fuss in your blog if you support WebMentions. Then using something like Bridgy, can help posts on microblogs mentioning your stuff appear on your blog. That is what I do with my blog (even though my third-party WebMention endpoint seems to be down atm).
Not sure recommending Microsoft’s GitHub for hosting is the path to breaking away from the corporations. The platform itself is corporate social media & there are quite a few alternatives that still fit free as in beer & freedom (or at least close to).
I agree with you, I recommended many types of setups there and the criteria was around what are the most common ones that people can find a lot of information about if they search. I recommended many alternatives there that I am not onboard with such as Github and Wordpress. My reasoning was around not pushing what is best for me but what can be an easy path for people. Also, it is fairly easy to move away from Github and carry your stuff with you, it is less than a silo than Wordpress which is a redeeming quality.
But I hear you and I agree. Been considering starting a zine to surface cool blogging stuff away from that mainstream stuff. Do you think that is something worthwhile to do? (just gauging if there is interest from people in this thread)
After my first reply to you I stopped to think about it for five minutes and decided to edit the post to remove the GH link. I left Jekyll as a mention of a good SSG. Added Bear Blog too.
Least bad option is post the link to your blog entry on your Fediverse microblog (e.g. Mastodon) account, then update your blog entry with the URL of that post as accepting comments.
I do like receiving email about posts, and on Gemini, it mostly works for people to just respond in their own blogs. But that’s mainly because Gemini is so small that everyone uses the same aggregators and is likely to see responses; it wouldn’t work for the web. Respond-on-blog and send webping/webmention works, but that introduces a non-static component.