I suspect you can curl/wget it if you want to see what it contains.

@prologic@twtxt.net Intriguing! It downloads on Firefox, but you aren’t actually supposed to download it, you’re supposed to let your calendar subscribe to it. (Sandstorm API URLs aren’t generally supposed to be accessed via normal browsers… there might be user agent code for that, not positive.)

Note: These aren’t hidden on the iOS app!

You see my entire message as the conversation ID, basically?

I kinda think this is a bug?

a post in parenthesis, it assumes it’s a Yarn ID and hides it.

Apparently if I write a Yarn entirely in parenthesis, I write a blank Yarn… But if I edit it, the text is still there. Test post to follow.

Calendaring is hard, so those who actually read the file will notice it’s set as 12 AM in America/Chicago… I should probably edit it to be based around UTC, or James’ time if he does any daylight savings stuff and intends the call to follow it accordingly… but if I amend this, and you subscribe, your calendar will get the updates!

@prologic@twtxt.net Host an ICS file people can add to their calendar of choice, which you can edit/update as needed.

Example: Subscribe to https://api-3da23a889bf723786c4367d1f36a1ca2.ocdhost.sandcats.io/.sandstorm-token/H-GeVZmxQN5aN3ArLHe7SDynYB5wEac1bxwq55ugQYB/export.ics in your calendar of choice. I have the current call schedule in it.

@prologic@twtxt.net We forgive you! Call was poppin’ today!

@lyse@lyse.isobeef.org Framadate is an open source tool for this.

@prologic@twtxt.net Yeah I have two options for static hosting I like: One is a Dropbox like file store, drag-drop files and they’re statically hosted, the other is a GitWeb instance where you can just push updates to it for static hosting.

@prologic@twtxt.net The green banner tells me you need that registration CAPTCHA. ;) https://git.mills.io/yarnsocial/yarn/issues/962

@carsten@yarn.zn80.net Another good option to bear in mind is the DomainConnect protocol, depending where you buy your domains: https://www.domainconnect.org/

It supports basically an open standard protocol of updating your DNS from a local script, and they provide both a Python script and a .NET app to do it.

@prologic@twtxt.net There’s a few places users will tend to prefer a monolith (social networks and feed readers come to mind), but anything document-based it makes a huge difference. The biggest downside is that since “starting the web server” happens every time you open an document, apps have to start very very fast. It’s why we prefer SQLite over MySQL heavily, for example. Also, MySQL has a lot of overhead per-database, which makes file sizes annoying large, for example.

From a size, isolation, and performance standpoint, a lot of your small Go apps fit very well in the model already. :)

There’s some interesting impacts here: If you don’t share a document with anyone else, there’s really zero way any vulnerabilities in the app itself can be exploited in any way, it’s not even running unless you open it via Sandstorm. So it’s safe to use these apps basically forever even without security updates.

The other big one is performance: Since apps are only running while you’re accessing them, there’s no performance cost to having a lot of different apps “installed” on your server. The cost of installing an app on your server is the storage, and CPU/memory is only impacted on demand.

In a normal Docker setup, a flaw in Etherpad could lead unauthorized users to access documents they shouldn’t be able to, or of course, edit documents without permission, including documents they weren’t supposed to have access to. Since Sandstorm spins up Etherpad containers on demand, if a user doesn’t have access to a document via Sandstorm, the server isn’t even loaded/running anywhere, and nobody can access it. When we do spin it up, the authorized user gets a container with… only the one document they have access to. A flaw in Etherpad could let a read-only user exploit their way into editing, but only, again, for the one document they already had access to.

Also, Sandstorm spins up these containers on ethereal randomized subdomains, and requires a unique authorization cookie on your browser to access them when they’re up. So they’re also very difficult to access even when they’re spawned without authorization.

If you consider an application like Etherpad, which by default, one would run and have dozens, hundreds, or thousands of documents, and you might host it at etherpad.yourdomain.com. And it’s always running, and it’s data is always available, and it’s using system resources. Additionally, you might want to share some documents with people, so people might have access to your Etherpad instance, but maybe only read-only, and only to some documents, or whatever.

Essentially the key concept is to move as much of the management of security and access to the platform, and not the individual application. Sandstorm assumes the applications might be insecure, or even actively malicious, and so we want them as inaccessible and locked down as possible all the time.

With a platform like YunoHost without virtualization, an RCE in an app could compromise everything on your server. A Docker-host like Cloudron or Umbrel, an RCE in an app could compromise all of the data in that app. More often than not, an RCE in a Sandstorm app grants zero ability to compromise anything at all. This means Sandstorm very rarely cares that apps have any good security practice at all: In most cases it just doesn’t matter.

So, @prologic@twtxt.net, I feel like I should convince you that your self-hosting solution you build should use containerized documents (Sandstorm calls them “grains” for kind of good reasons, but documents is usually applicable). This would have twofold benefits: 1. Your platform would be more secure/better. 2. Apps you build for it would probably be reasonably straightforward to also run on Sandstorm.

This is why I’m moving a bunch of my “sites” to basically internal-only apps on my Sandstorm server. I never really needed anyone else to have access anyways.

I mean, I am US Central, but I’m used to basing things on Eastern time so it’s not a big deal, lol.

@mckinley@twtxt.net Yeah, I just get a few hundred news items a day, I worry adding twts will double the daily backlog even if only following a few people.

@prologic@twtxt.net I found the Atom feed, but I’m worried it might be too noisy, I don’t want to overwhelm my feed reader too much. Hmm…

@mckinley@twtxt.net I may try to be there, wife may have other plans.

Sandstorm currently has no special behavior for local networks versus over the Internet: All things use the public IP and supports Let’s Encrypt. Access hence somewhat depends on hairpin routing, but certificates are no issue. On my home network, I actually adjusted my DNS to route my Sandstorm with local IPs internally, mind you, so it works when the Internet is down.

The way Sandstorm generally addresses the initial-user setup problem is that you can generate an “admin-token” from the CLI to log in administratively one time, and do whatever account setup (or OAuth configuration recovery) that you need to do.

I’m kinda curious where they failed out on this, considering it’s a ready-to-deploy app they support on Vultr, from the looks of it.

@prologic@twtxt.net Ooooh, that’s… hairier than I thought it would be. The whole “apps currently use hardcoded IPs thing” is also super weird.

@prologic@twtxt.net This sounds like a non-ideal user experience. Any idea what happened there or no?

@prologic@twtxt.net Obviously Yarn should be on Sandstorm, but as much as I knock other selfhosting platforms you could get on them very easily. Cloudron, Umbrel, etc. are basically just Docker hosts at the end of the day, but it’d put Yarn in front of everyone who uses those platforms for self-hosting.

@prologic@twtxt.net Probably weitten by someone who pulled all their repos off GitHub in protest. lol

@rob@twtxt.net There’s nothing that inherently blocks the federal government from passing a law banning abortion here, it’s just a claim the court establishing a right to abortion was an overreach. Bear in mind, both parties are willing to claim it should be a state’s rights thing… until they’re in the position to enforce their view federally.

@prologic@twtxt.net I’ll just have to hope Yarn becomes popular enough for someone to make a native iOS client app.

@mckinley@twtxt.net I prefer Jitsi’s UI but it performs fine. Bear in mind I didn’t hear or see anything on that call though.

@mckinley@twtxt.net Did you do this from memory or like… did you take notes? O.o

I don’t like all that Google UI design slapped onto my otherwise decent phone. :P

I installed Goryon, and it looks like someone shoved an Android app onto my iPhone.

Material design on my iPhone? Gross Feedback cc: @prologic@twtxt.net

@prologic@twtxt.net I can join! Like 38 minutes from now, right?

@prologic@twtxt.net So in actuality they already do: Nobody would be caught dead running vCenter without a valid support contract. Of course, that’s in addition to the upfront purchase.

Switching to fully subscription largely means disregarding the initial purchase, in favor of a higher yearly bill.

@prologic@twtxt.net The best part is the announcement they intend to rapidly shift VMware to subscriptions. So the acquisition hasn’t even closed and they’ve already announced they’re buying it just to bleed customers dry.

Literally the first time I remembered on the right day, lol.

@prologic@twtxt.net I was gonna join the call… but I’m tired. That’s probably a good list though, question is how many are willing to pay how much towards those goals. More users would definitely help.

Hmmm, what would you do with funds you raise?

And since the cut is just a portion of donated funds, there’s really no cost to having it set up. It costs nothing if you aren’t bringing anything in via it.

@prologic@twtxt.net OpenCollective is pretty solid if you want to accept donations, it takes away a lot of the legal questions at a modest cut. Sandstorm has one, we will be using it more soon.

@prologic@twtxt.net I do understand that, though it makes the engagement problem even worse, I have to remember I said something on here, and then actively check and see if anyone ever commented on it. I try to enable email notifications on every network I use (though some platforms do make this difficult to try to force you to browse directly on their site).

So like… there’s no notifications for this thing, are there, @prologic@twtxt.net?

The problem we keep seeing with open source businesses, is if it’s successful enough that Amazon, Google, or Microsoft want in on it, they’ll provide a service hosting your open source project cheaper than you can, without having done any of the development work or contributing anything back.

The OSI though has refused to accept SSPL as being “open source” though, so people argue that it is not. The view that I found in their discussions was that it “wasn’t their responsibility” to make open source businesses viable.