I think by running this calculator on my site I generated more CO2 than the supposed 1-2 visitors per month do while visiting my page.
Also this example calculations. While neat, completely useless. When I move the visitors to 19500 per month it jumps to “2 trees” everything below that is “1 tree”. Well, yes, sure, that’s only a factor of 1000…
I’m very sceptical of the calculator but it says my personal site would use 8kWh with 10k visitors per year. 1 watt per hour.
That’s nothing!! Focus on things in your life which matter, e.g. if you don’t run your air conditioner as much, you’d easily save 8kWh in just a couple of days.
Or don’t eat a steak and you’re able to run my website for like 4 years.
Both your point postulate that micro-optimizing your personnal website is significant to “save the planet”.
Not going into politics here, but from a computer-science point of view everything is about trade-off.
Is the effort spent optimizing your personnal website has a valuable impact on the problem your trying to solve ?
One could argue that personnal websites are definitely not a significant part of the energy used nowadays, and far lower than blockchains related stuff.
Is the effort spent optimizing your personnal website has a valuable impact on the problem your trying to solve ?
One could argue that personnal websites are definitely not a significant part of the energy used nowadays, and far lower than blockchains related stuff.
To take a counter point, you frame your point as coming from a computer-science point of view, but you didn’t acknowledge that a lot of innovation in CS happens via grass routes movements where individuals work on a problem, and then industry adopts those solutions. If people start optimizing their personal sites, maybe they will take what they’ve learned on their own time and start doing it more at their job as well, maybe those people present their work at reducing COGS by reducing energy usage for some Top 500 websites. That could have real impact on the industry via knock-on effects. In my point of view this is how we as individuals can effect change in the industry, by working on problems and helping to disseminate them to the masses.
Industries adopt a solution not just because its trendy or because the common people use it, but more propably because this a profitable solution.
The point is that you can increase profits by reducing the energy consumption of the software you are running in your own, or co-located data centers. Many companies throw money at the problem instead, people who have experience tuning for lower energy usage are, and will continue to be valuable assets to their teams. Practicing on your own projects is a useful and worthwhile exercise.
I understand your point, but that is a lot of “maybe”.
Both your point postulate that micro-optimizing your personnal website is significant to “save the planet”.
Actually, what I said is quite literally the opposite. Micro-optimizing my website will not save the planet. But if I’m not willing to go the extra mile, how can I expect a larger website with significant climate impact to do that without being a hypocrite?
Both your point postulate that micro-optimizing your personnal website is significant to “save the planet”.
Nope. My point is that the existence of worse offenders does not let you off the hook for your offenses. If you voluntarily maintain an excessively inefficient system which can be easily optimized, that’s on you. Just because there exist others who maintain massively more inefficient systems, that does not excuse the inefficiency of yours.
Is the effort spent optimizing your personnal website has a valuable impact on the problem your trying to solve ?
The effort is minimal. In the case of a personal website, what is one trying to solve? Sharing their identity and ideas with the world? Why should that ever require layer upon layer of excessively wasteful JavaScript-heavy frameworks?
One could argue that personnal websites are definitely not a significant part of the energy used nowadays, and far lower than blockchains related stuff.
Yes, this is necessarily true. However, it is irrelevant to the point I was making. If you care about waste, then reduce waste. Don’t wait to reduce waste until those more wasteful reduce theirs.
Yeah! And I’ll ride my bike to work once all trucks are abolished! And I’ll stop littering once all illegal dumpers are prosecuted! And I’ll recycle my plastics once all oil refineries are shut down! And I’ll go vegan once all poachers are lynched!
Would they understand/believe/trust that everything is done client-side? How do they know that the server isn’t reading their messages?
This feels a bit like the olden days, when many people were illiterate, so they had to pay a scribe to read or write for them if they received or wanted to send a letter.
I think what I’m trying to say is that this looks like asking a third party to help, rather than using a tool to do it yourself. Rightly or wrongly, many people would trust a tool where they wouldn’t trust a person.
I could imagine my family not even understanding the difference between client-side and server-side execution, let alone the benefits.
The intent for this tool is to be trusted by people who do understand how it works and recommend it to those who don’t. Currently, Keybase fills that gap the best, except I know many people who understand how Keybase works, do not appreciate it but are still forced to recommend it because of a lack of a better alternative.
Works are underway to have more (non-web) tools that can verify the identity proofs, but with regards to this particular instance, Keyoxide.org, the “regular human” might as well assume it’s as evil as any other corporate service and I couldn’t do a thing about that perception. I can only hope those who appreciate the inner workings of it to deliver the “you can trust this” message.
Interesting, will look into this. Thing is that 1) this defeats the purpose of decentralized identity proof and 2) Github is already supported in a manner that does respect decentralized identity proofs. But I’ll still have a look!
Thanks. Looks pretty good! The “encrypt message” and “verify message” links have the last dot replace with an underscore in them, which then causes the page that loads up when clicking them to not work right.
The fingerprint is also a link to the key on the default keyserver. This is totally fine, but maybe a link to the WKD would be better for a WKD profile?
Ok, one more thing I noticed because of the hoop-jumping for the keyserver: the profile page happily shows revokes UIDs. For example, my gmail address is revoked in my key but is shown on the WKD profile page.
When using the profile view, keys are only fetched from https://keys.openpgp.org . This is the default keyserver everywhere on the website, but you always get a form with the possibility to overrule which keyserver is used. Since this profile page doesn’t have this possibility, it just uses https://keys.openpgp.org .
I’ve seen this before. Using https://dump.sequoia-pgp.org , I can see there are no identities inside the key. The keyserver does this to new keys when the uploader hasn’t confirmed the upload yet by clicking a link sent by email. Could this be happening?
Oh, weird. I’d never seen this keyserver before, so didn’t know they wanted me to go in and provide “consent” to distribute my public information that they presumably got from another keyserver already distributing it :P
I’m jumping through this hoop now, so hopefully that fixes it.
With htmlspecialchars() a & will become &, but you want %26. I’m not 100% sure if it’s a security problem as such, but it’s certainly incorrect. Same applies in some other places.
make basic cryptography operations accessible to regular humans
Keyoxide.org offers easy encryption, signature verification and decentralized identity proof verification based on PGP keys while demanding little in-depth knowledge about the underlying encryption program from its users.
What level of knowledge does this product expect of users, though? I have only the vaguest idea what this means, so I don’t know why I would reach for this product, and I’m a programmer by trade, not even a “regular human”. Maybe this language was more intended for the usual audience of the blog?
It aims to be mostly used by people not knowing how to work with PGP. The rationale is: if you have a keypair, you probably (should) know your way around PGP to get the most out of it.
However, the (public) key is not just for your own usage as the owner of it. Others can use it to encrypt a message for you or verify one of your signatures. Keybase also allows easy encryption but only for the keys hosted on their own servers. Keyoxide can use any publicly available key using the existing infrastructure.
I certainly need to work on my communication skills. I hope this clarifies it a little.
You might want to choose a simpler wording for your fields. I was very confused when looking at this page: https://keyoxide.org/encrypt
There are 5 fields with different information to fill in order to encrypt a message, which is not really “easy” for non-initiated users (you have to know what an HKP server or web key directory is for example). I only realized that only one of those 3 fields is necessary to encrypt the message later, and that’s because I have basic understanding of PGP.
On the other hand, the keybase counterpart your provided seems way more noob-friendly: huge area for the message, and a field for “whom” the message is for. No mention of “keys” or “servers” that would confuse someone that knows nothing about crypto.
Absolutely agreed, my biggest gripe as well. I’ve been experimenting with several layouts, still haven’t quite found the balance between “giving choice” and “making it clear what exactly needs to happen”!
One of these iterations, I’ll get it right! When I do, I’ll let you know :) thanks for the comment!
I guess this is a little off topic, but creating a browser engine is so difficult, I wonder if anybody has considered creating Markdown browsers and communities around them?
The key ideas would be:
Serve markdown (maybe an extended version) over HTTPS
Reuse existing server infrastructure
Only text, images, video, and audio - no client scripting
Leave all rendering decisions to the browser
Participating sites would (ideally) only link to other markdown sites
The HTML and Javascript web seems to get more and more like TV every day, with less user control and more centralized/corporate control. A new browser engine might help, but it feels like it’s beyond saving at this point.
Gemini is a new, collaboratively designed internet protocol, which explores the space inbetween gopher and the web, striving to address (perceived) limitations of one while avoiding the (undeniable) pitfalls of the other.
While not a browser per say, this is similar in spirit to your markdown browser idea.
I’m torn on this. I don’t really care for the CSS or layout for random news sites, but at the same time I really like the distinctive and wacky styles I see on people’s personal sites. Removing that element of individuality would, IMO, make the web more corporate.
Reminds me a bit of this post calling for a “Khyber Pass Browser”. I saw it in another forum, so I’ll paste my comments here as they also apply to your idea, and I’m intrigued by the design space and problem of staying simple:
What are your use cases or goals? I ask because I am ancient, and this sounds like a design doc for Mosaic 1.0, down to opening an external application to deal with those newfangled jpegs.
Depending on those high-level questions, maybe you want to lean way, way more into unix and do the most extreme version of “defer any content-specific rendering to user-specified helper programs” and like make a FUSE filesystem for browsing IPFS/DataShards or similar? Then you don’t even have to define a document format and write a renderer. (But more likely there’s some context/assumptions I’m missing.)
[discussion turned to the “should be implementable by a motivated undergad in a year of free time” heading]
I think an undergrad with a high-level binding like fusepy could bang out an integration pretty quickly. But I’m not married to the idea, I was throwing it out there to try to figure out what’s important to you in this project, same with the use case/goals question. Is it networking? Is it a new document markup? Is it use of mimetypes?
A point I meant to make with the comparison: Mosaic was an undergrad project and thirty years later, here we are with browsers that have 10x more code than the OS it ran on. What about this project keeps it from growing? How would you allow it to change and adapt, but not grow? That’s a really fascinating problem; how do you repeal Zawinski’s Law? Is there something in your design space that you think will help a KBP become a living fossil?
I for one did not. The situation seems stable right now but we have to stay vigilant that those shenanigans are not repeated. When it does, the people will once again speak. Until then, it seems the .org TLD is safe for the moment. Any reason to believe otherwise?
Depending on your location, your country’s ccTLD may be better? If I have a French online business I probably don’t want my domain to be subject to US law.
I love the idea of a truly international non-commercial, non-profit TLD run for the public good. PIR is/was the closest we’ve had, maybe? They and their parent are US non-profits and subject to US courts though, right?
My personal domain is .org, so it’s subject to US courts and British courts (as that’s where I live). If I owned a .uk domain instead there would only be one set of laws in play, which I think would be better?
I know this is old, but on .xyz vs.org. The thing with .org was that it will turn into a for-profit, privately owned institution. From what I was able to find this has always been true for .xyz, which if that’s your concern is a worse choice.
Who knows what will happen to your domain registration when control is passed to the Mauritian government?
“The people of Mauritius are multiethnic, multi-religious, multicultural and multilingual. The island’s government is closely modelled on the Westminster parliamentary system, and Mauritius is highly ranked for democracy and for economic and political freedom.” - Wikipedia
I’m going to assume they’ll enjoy taking my money?
I would assume, and hope, so too. But they could also, like other ccTLD, make you provide residency proof and make the .io tld all about the territory, which is what’s its intended purpose was. Bottom line: we don’t know. So, it’s a little risk factor you need to be willing to make. Most will, no doubt. Still worth pointing out.
In a time when fewer and fewer ccTLDs require residency proofs and .io is an established profitable asset? Yeah, sure, they will make it all about an island with a tiny population because it makes perfect economic and political sense. ;)
I’m not sure if I missed something in the article, but is .xyz different from .org, .com etc. or is it just an alternative to .io with better availability of names?
The .xyz TLD is fun, small, refreshing, funky, a whole lot cheaper and you don’t support colonialism.
Perhaps, but it still sounds childish and looks like something you’d choose if all other serious options are not available. At least that’s the feel I get and I’m certain a lot of other more casual user do too. .io was kind of lucky that it managed to get into the .com, .net, .co.uk, … group of common domain names.
Yeah, good point. It must be my recent interactions with the indieweb, but… The internet is supposed to be fun and perhaps, to some degree, childish. For serious stuff, by all means, avoid .xyz, .wtf, .ooo, use .org, .com, .net, .tech, .news, .computer. There’s so much out there, even more meaningful than “input/output” :)
Sorry to be so cynical, but it’s easy to lose touch with the fun internet when even personal blogs are packed with trackers and advertising and trying to monetize everybody.
Except for some relatively obscure corners, the light hearted and fun internet is dead. At this point, I doubt most people ever even experienced that part of it.
I strongly disagree. Let’s say in 1995 there were 10 websites and all of them were fun and childish. In 2000 maybe there were 10,000 websites and 50 of them were fun and childish. In 2020 there are 10 million websites and 10,000 of them are fun and childish. And I see people calling that a bad thing?!
The internet of the 90s didn’t go away, there’s just more built up around it. You can have that old internet back, just block Facebook and Google and hell even the top million sites. All you have to do is just not visit the sites you don’t like. When I hear people say the old internet is gone what I hear is that they want all websites to be like the old internet. There’s more “old internet” today than there ever has been and it’s easier to find those sites than it ever has been. I don’t go into my favorite ice cream shop and complain about all the fancy new flavors, because I can still buy plain old vanilla. Strawberry shortcake didn’t replace my favorite flavor, it’s all still there. The only difference now is that I have other flavors tempting me, flavors no one is forcing me to buy. Vanilla is still there.
Complaining that the good sites are stuck to the obscure corners ignores the fact that the 90s web was an obscure corner.
I think you misunderstood what I was trying to say. I was on the internet in 1995, and while there are things I miss, like the higher signal to noise ratio and less advertising, I don’t have anything against the modern web and I don’t have any interest in making the modern internet more like the internet of the past.
The point I was making is that the whole mindset of the web has changed, and even if you block millions of sites you’re not going to get the same open and “fun” experience as browsing back in the 90s. The mere fact that you have to put so much effort into it changes the experience.
It’s like trying to relive the 1870s by driving a horse and buggy in traffic on modern streets - maybe you’re getting some idea for what it was like, but it’s a long ways off from what it was really like back then.
I didn’t intend for my comment to be a pointed one, or to blame anyone. It was perhaps directed more at the people who run those blogs that are packed with trackers and advertising.
Is that a film where the man is a thoughtful person or more of a badass? If thoughtful you can make a thoughful argument. If badass, I suppose there isn’t much of an argument to be be made.
I agree. I own both snazz.xyz (because it’s fun, short, and fits well with the theme of my username) and a more professional website with my CV and academic information at [firstname][lastname].com. I think that owning both serves me well at a lower annual cost than a single .io.
A couple thousand people got screwed over several decades ago by the British Government for geopolitical reasons therefore you shouldn’t buy the .io TLD? I don’t think that’s reasonable. .io is a useful de-facto gTLD with explicit tech connotations unlike .xyz, and as stated in the articles linked through by the OP a proportion of its profits are reinvested in internet infrastructure. Some things are worthy of boycotting, but this is not one of them.
I agree, the OP is perfectly free to boycott .io if they so choose. And I am perfectly free to say that I think it’s hand-wringing and an over-reaction. On a site like lobste.rs, which is rarely overtly political, a skimming reader might think that there is a good technical reason to not choose .io, which as far as I know is not the case.
And I am perfectly free to say that I think it’s hand-wringing and an over-reaction
I won’t try and convince you otherwise :)
might think that there is a good technical reason to not choose .io, which as far as I know is not the case
Well….. [1]
Also, the future of the TLD being uncertain due to these geopolitical issues is quite a technical reason not to choose .io [2] (I added an update about this to the post)
There are technical reasons too: it’s a poorly run registry with bad record of nameserver uptime. The whole thing is held together with chewing gum and gaffer tape. I know this because of the “fun” I had going through ICB’s registrar accreditation process, where I spent most of the time getting them to fix bugs on their side.
A couple thousand people got screwed over several decades ago
Those people are still being screwed over, today. Denied their homeland, they are forced to remain stateless. Their buried dead lie in graves untended, their lands appropriated for CIA Black Sites and USAF weapons of mass destruction.
.io is a useful de-facto gTLD
It isn’t a gTLD, its a cock-a-mamey “ccTLD” run for the benefit of the same people who have stolen the Chagossians homeland.
Some things are worthy of boycotting, but this is not one of them.
What would be worthy of boycotting, O Sage of the Internet?
I’m pretty sure tech firms have been treating it as essentially a gTLD for quite a while now.
What would be worthy of boycotting
China for atrocities against Uyghur Muslims, or Saudi Arabia for atrocities in Yemen. Nations and entities which have murdered people en-masse instead of just displacing them.
A couple thousand people got screwed over several decades ago by the British Government for geopolitical reasons therefore you shouldn’t buy the .io TLD? I don’t think that’s reasonable.
I’m surprised (perhaps disappointed) you don’t think that’s reasonable. I can’t think of many better reasons to boycott something. You say “a couple thousand people” as though that’s a number that should be treated as insignificant.
You say “a couple thousand people” as though that’s a number that should be treated as insignificant.
The suffering of one person is a tragedy, the suffering of “a couple thousand people” is a statistic, right? Considering how shady this whole thing is I think it is completely fair to just vote with your wallet and chose a different TLD at no inconvenience to yourself.
A couple thousand people got screwed over several decades ago by the British Government for geopolitical reasons therefore you shouldn’t buy the .io TLD? I don’t think that’s reasonable
You probably would revise your position if you were one of those couple thousand who had a foreign colonial government stealing your wealth.
Beyond the problematic colonist mindset here, there are actual technical reasons, well documented at this point, and with a little google fu you can find quite a few horror stories.
Well, there’s .tech, .computer, .systems. So why .io? Just because it means “input/output”? If I make a techy website, why do I need my domain to be associated with “input/output”? Also, few people outside tech will get the .io reference. To others, it’s just confusing.
The problem with long, unusual TLDs like those ones is that they don’t immediately parse as URLs when one reads them - in fact, less technical people may not even realize they are URLs at all (I accept this may be a feature not a bug :p). They also break a lot of field validators. You are to some extent right about non-technical people not associating IO with input/output - I think many consider the domain synonymous with those simple online multiplayer games in the vein of agar.io.
Is there a better source for the claim that .io would pass to the Mauritians if the UK ceded the Chagos islands (which I doubt will happen, but that’s beside the point)? Cynically, I am inclined to think that this will not happen.
Cynically, I am inclined to think that this will not happen.
On your side of the fence as well. I’d like to see it happen, but… UK giving up a source of money like that?
In the end, it’s risk assessment. If you feel your brand perception will improve by using .io and the chances of .io going “territory only” mode are slim, no one is stopping you.
It’s difficult, but I’m trying to not to judge. What other people do with their domains is their business. I’m really only asking to take these issues into consideration when buying a domain.
This is my latest foss project. After discussing ways to make basic pgp operations easy for non-techy people without having to rely on keybase, I made this little web app that replaces keybase’s signature verification functionality in an open source, more privacy-friendly and secure way.
This is a handy resource! I used to use a variety of websites to validate the different aspects of the indieweb on my website. Having it all on one page makes validating easier
I myself haven’t started yet. I installed a theme (WordPress) suggested by them and installed plugins but still didn’t start to do the things. Write about your steps. On your blog or Mastodon. I think I already have followed you.
That’s really well made! Any plans on using this same “real-time multiple roles” concept in a different application or project? Assuming you’re not going after Uber, that is 😉
Thanks! Didn’t think about it yet, web sockets that are used there could be set up in a better way, as far as I’m aware, currently, all users get notified about changes and filter out all unrelated to them messages… Regarding the next project, most probably I’ll make a landing page to help my father sell honey online, he is a beekeeper.
Yes, sounds a lot, considering that he has I think 15 hives. Financially it is not that much, here in Estonia, he can sell it as up to 8EUR/kg which gives ±4KEUR per year
Interesting, I was looking into Ansible, but I might try this as well for comparison.
I have to ask: I look at some of these scripts and wonder if a simple bash script is not shorter and more efficient than running python to install packages and move files around?
Some of these tools are (semi-)declarative. For instance, in Ansible, you usually define how you want the server to be like, and Ansible goes in to check whether that’s already true. If it is, Ansible does nothing (further). There are also shell commands that just run a shell script on the server, so those are obviously not declarative and get run on every run. But that’s sometimes useful as well.
This makes incremental development of a server using Ansible nice, since you can continuously keep running your whole stack to the server and only the changes get applied. Personally, after getting used to this, I consider the declarative nature to be the most important feature of such a tool.
I’ve sometimes thought that it might be interesting to try a migration model for server maintenance instead. Then you could just dumb down everything to running simple shell scripts, and the system simply keeps books on which server migrations have been run and which not. This obviously only would work if you can trivially start over, since doing reversal migrations all the time would be nasty. And you would need to make sure nobody does manual changes without this system. But you need to make such a restriction anyway in order to properly handle any larger number of systems.
I’ve recently switched my website’s design to a light theme and after some getting used to, it does read more comfortably. Even trying programming with light theme again.
Keybase is not open source. The whole premise is undone in the second sentence.
I’ll microoptimize my personal site once all proof-of-work blockchains are abolished.
I get your point, but also… Be the change you want to see.
I think by running this calculator on my site I generated more CO2 than the supposed 1-2 visitors per month do while visiting my page.
Also this example calculations. While neat, completely useless. When I move the visitors to 19500 per month it jumps to “2 trees” everything below that is “1 tree”. Well, yes, sure, that’s only a factor of 1000…
Presumably the article author has more traffic than that.
I certainly hope so, but this more related to what gerikson said, also note the last line of the post:
I’m very sceptical of the calculator but it says my personal site would use 8kWh with 10k visitors per year. 1 watt per hour.
That’s nothing!! Focus on things in your life which matter, e.g. if you don’t run your air conditioner as much, you’d easily save 8kWh in just a couple of days.
Or don’t eat a steak and you’re able to run my website for like 4 years.
@yarmo & @cos
Both your point postulate that micro-optimizing your personnal website is significant to “save the planet”.
Not going into politics here, but from a computer-science point of view everything is about trade-off.
Is the effort spent optimizing your personnal website has a valuable impact on the problem your trying to solve ?
One could argue that personnal websites are definitely not a significant part of the energy used nowadays, and far lower than blockchains related stuff.
That’s how I understand @gerikson point of view.
But then again, it does not forbid you to optimize your website if you feel like it.
To take a counter point, you frame your point as coming from a computer-science point of view, but you didn’t acknowledge that a lot of innovation in CS happens via grass routes movements where individuals work on a problem, and then industry adopts those solutions. If people start optimizing their personal sites, maybe they will take what they’ve learned on their own time and start doing it more at their job as well, maybe those people present their work at reducing COGS by reducing energy usage for some Top 500 websites. That could have real impact on the industry via knock-on effects. In my point of view this is how we as individuals can effect change in the industry, by working on problems and helping to disseminate them to the masses.
Industries adopt a solution not just because its trendy or because the common people use it, but more propably because this a profitable solution.
I understand your point, but that is a lot of “maybe”.
The point is that you can increase profits by reducing the energy consumption of the software you are running in your own, or co-located data centers. Many companies throw money at the problem instead, people who have experience tuning for lower energy usage are, and will continue to be valuable assets to their teams. Practicing on your own projects is a useful and worthwhile exercise.
¯\_(ツ)_/¯
Actually, what I said is quite literally the opposite. Micro-optimizing my website will not save the planet. But if I’m not willing to go the extra mile, how can I expect a larger website with significant climate impact to do that without being a hypocrite?
Hi @yarnmo,
@puffnfresh answer what I would say too.
And like I said previously, that should not stop you from doing it !
Nope. My point is that the existence of worse offenders does not let you off the hook for your offenses. If you voluntarily maintain an excessively inefficient system which can be easily optimized, that’s on you. Just because there exist others who maintain massively more inefficient systems, that does not excuse the inefficiency of yours.
The effort is minimal. In the case of a personal website, what is one trying to solve? Sharing their identity and ideas with the world? Why should that ever require layer upon layer of excessively wasteful JavaScript-heavy frameworks?
Yes, this is necessarily true. However, it is irrelevant to the point I was making. If you care about waste, then reduce waste. Don’t wait to reduce waste until those more wasteful reduce theirs.
Yeah! And I’ll ride my bike to work once all trucks are abolished! And I’ll stop littering once all illegal dumpers are prosecuted! And I’ll recycle my plastics once all oil refineries are shut down! And I’ll go vegan once all poachers are lynched!
How would a ‘regular human’ perceive this site?
Would they understand/believe/trust that everything is done client-side? How do they know that the server isn’t reading their messages?
This feels a bit like the olden days, when many people were illiterate, so they had to pay a scribe to read or write for them if they received or wanted to send a letter.
I think what I’m trying to say is that this looks like asking a third party to help, rather than using a tool to do it yourself. Rightly or wrongly, many people would trust a tool where they wouldn’t trust a person.
I could imagine my family not even understanding the difference between client-side and server-side execution, let alone the benefits.
The intent for this tool is to be trusted by people who do understand how it works and recommend it to those who don’t. Currently, Keybase fills that gap the best, except I know many people who understand how Keybase works, do not appreciate it but are still forced to recommend it because of a lack of a better alternative.
Works are underway to have more (non-web) tools that can verify the identity proofs, but with regards to this particular instance, Keyoxide.org, the “regular human” might as well assume it’s as evil as any other corporate service and I couldn’t do a thing about that perception. I can only hope those who appreciate the inner workings of it to deliver the “you can trust this” message.
Add support for GitHub keys, e.g. https://github.com/puffnfresh.keys
Interesting, will look into this. Thing is that 1) this defeats the purpose of decentralized identity proof and 2) Github is already supported in a manner that does respect decentralized identity proofs. But I’ll still have a look!
my key fails to load https://keyoxide.org/59E682C3EAF39A210CA73534D11C2911CE519CDE
Trying with WKD (https://keyoxide.org/[email protected]) I see:
TypeError: keyData.publicKey.users[i].userId is nullThanks for the report! I have just pushed a fix, it seems to be working for me now.
Thanks. Looks pretty good! The “encrypt message” and “verify message” links have the last dot replace with an underscore in them, which then causes the page that loads up when clicking them to not work right.
The fingerprint is also a link to the key on the default keyserver. This is totally fine, but maybe a link to the WKD would be better for a WKD profile?
Fixed WKD links on WKD profiles.
Thanks!
Ok, one more thing I noticed because of the hoop-jumping for the keyserver: the profile page happily shows revokes UIDs. For example, my gmail address is revoked in my key but is shown on the WKD profile page.
That’s bad! Added to top of todo, thanks for letting me know!
The dot/underscore thing is strange, I’ll look into it right away.
WKD links for a WKD profile make a whole lot of sense :) will be fixed today.
When using the profile view, keys are only fetched from https://keys.openpgp.org . This is the default keyserver everywhere on the website, but you always get a form with the possibility to overrule which keyserver is used. Since this profile page doesn’t have this possibility, it just uses https://keys.openpgp.org .
It appears to be there: https://keys.openpgp.org/search?q=59E682C3EAF39A210CA73534D11C2911CE519CDE
I’ve seen this before. Using https://dump.sequoia-pgp.org , I can see there are no identities inside the key. The keyserver does this to new keys when the uploader hasn’t confirmed the upload yet by clicking a link sent by email. Could this be happening?
Oh, weird. I’d never seen this keyserver before, so didn’t know they wanted me to go in and provide “consent” to distribute my public information that they presumably got from another keyserver already distributing it :P
I’m jumping through this hoop now, so hopefully that fixes it.
Indeed it is! Really strange, looking into this today
You want to use
urlencode()instead ofhtmlspecialchars()here: https://codeberg.org/yarmo/keyoxide/src/branch/main/server/verifyLobsters.php#L3With htmlspecialchars() a
&will become&, but you want%26. I’m not 100% sure if it’s a security problem as such, but it’s certainly incorrect. Same applies in some other places.Thanks, fixed it! https://codeberg.org/yarmo/keyoxide/commit/34cb9a073caae0a6a980bbbfd8cafc7c7817074f
What level of knowledge does this product expect of users, though? I have only the vaguest idea what this means, so I don’t know why I would reach for this product, and I’m a programmer by trade, not even a “regular human”. Maybe this language was more intended for the usual audience of the blog?
It aims to be mostly used by people not knowing how to work with PGP. The rationale is: if you have a keypair, you probably (should) know your way around PGP to get the most out of it.
However, the (public) key is not just for your own usage as the owner of it. Others can use it to encrypt a message for you or verify one of your signatures. Keybase also allows easy encryption but only for the keys hosted on their own servers. Keyoxide can use any publicly available key using the existing infrastructure.
I certainly need to work on my communication skills. I hope this clarifies it a little.
You might want to choose a simpler wording for your fields. I was very confused when looking at this page: https://keyoxide.org/encrypt
There are 5 fields with different information to fill in order to encrypt a message, which is not really “easy” for non-initiated users (you have to know what an HKP server or web key directory is for example). I only realized that only one of those 3 fields is necessary to encrypt the message later, and that’s because I have basic understanding of PGP.
On the other hand, the keybase counterpart your provided seems way more noob-friendly: huge area for the message, and a field for “whom” the message is for. No mention of “keys” or “servers” that would confuse someone that knows nothing about crypto.
Absolutely agreed, my biggest gripe as well. I’ve been experimenting with several layouts, still haven’t quite found the balance between “giving choice” and “making it clear what exactly needs to happen”!
One of these iterations, I’ll get it right! When I do, I’ll let you know :) thanks for the comment!
Uploaded a new design, this should clear up that confusion :)
Very beautiful project. Will the code be shared?
I guess this is a little off topic, but creating a browser engine is so difficult, I wonder if anybody has considered creating Markdown browsers and communities around them?
The key ideas would be:
The HTML and Javascript web seems to get more and more like TV every day, with less user control and more centralized/corporate control. A new browser engine might help, but it feels like it’s beyond saving at this point.
https://gemini.circumlunar.space/
While not a browser per say, this is similar in spirit to your markdown browser idea.
I’m torn on this. I don’t really care for the CSS or layout for random news sites, but at the same time I really like the distinctive and wacky styles I see on people’s personal sites. Removing that element of individuality would, IMO, make the web more corporate.
Sounds kind of like the existing Gopherverse, sans HTTPS.
Reminds me a bit of this post calling for a “Khyber Pass Browser”. I saw it in another forum, so I’ll paste my comments here as they also apply to your idea, and I’m intrigued by the design space and problem of staying simple:
What are your use cases or goals? I ask because I am ancient, and this sounds like a design doc for Mosaic 1.0, down to opening an external application to deal with those newfangled jpegs.
Depending on those high-level questions, maybe you want to lean way, way more into unix and do the most extreme version of “defer any content-specific rendering to user-specified helper programs” and like make a FUSE filesystem for browsing IPFS/DataShards or similar? Then you don’t even have to define a document format and write a renderer. (But more likely there’s some context/assumptions I’m missing.)
[discussion turned to the “should be implementable by a motivated undergad in a year of free time” heading]
I think an undergrad with a high-level binding like fusepy could bang out an integration pretty quickly. But I’m not married to the idea, I was throwing it out there to try to figure out what’s important to you in this project, same with the use case/goals question. Is it networking? Is it a new document markup? Is it use of mimetypes?
A point I meant to make with the comparison: Mosaic was an undergrad project and thirty years later, here we are with browsers that have 10x more code than the OS it ran on. What about this project keeps it from growing? How would you allow it to change and adapt, but not grow? That’s a really fascinating problem; how do you repeal Zawinski’s Law? Is there something in your design space that you think will help a KBP become a living fossil?
This might be up your alley https://twitter.com/BeakerBrowser/status/1274055038579675138?s=20
I could see myself using that, though I assume it’s going to mostly for personal websites, so one will still need an extra conventional browsers.
Really interesting idea
Wait, did folks already forget the recent fiasco around ICANN trying to sell away .org to a company that wanted to jack up rates?
I for one did not. The situation seems stable right now but we have to stay vigilant that those shenanigans are not repeated. When it does, the people will once again speak. Until then, it seems the .org TLD is safe for the moment. Any reason to believe otherwise?
No concrete reason, other than the pessimist in me just assumes this isn’t over and they’ll try again in a more subtle way than the first attempt.
They will try again, ICANN has shown itself to be untrustworthy.
The question isn’t whether .org is perfect. The question is whether anything else is better.
Depending on your location, your country’s ccTLD may be better? If I have a French online business I probably don’t want my domain to be subject to US law.
I love the idea of a truly international non-commercial, non-profit TLD run for the public good. PIR is/was the closest we’ve had, maybe? They and their parent are US non-profits and subject to US courts though, right?
My personal domain is .org, so it’s subject to US courts and British courts (as that’s where I live). If I owned a .uk domain instead there would only be one set of laws in play, which I think would be better?
I know this is old, but on .xyz vs.org. The thing with .org was that it will turn into a for-profit, privately owned institution. From what I was able to find this has always been true for .xyz, which if that’s your concern is a worse choice.
Or am I missing something?
If you’re mad at
.io, definitely don’t look into.ly:DYou know I’m gonna :)
It’s Libya, so…who knows where that money is going…
.devenforces HSTS TLD-widewhat does this have to do with .ly?
This issue has cropped up before now and then.
I’m going to assume they’ll enjoy taking my money?
I would assume, and hope, so too. But they could also, like other ccTLD, make you provide residency proof and make the .io tld all about the territory, which is what’s its intended purpose was. Bottom line: we don’t know. So, it’s a little risk factor you need to be willing to make. Most will, no doubt. Still worth pointing out.
In a time when fewer and fewer ccTLDs require residency proofs and .io is an established profitable asset? Yeah, sure, they will make it all about an island with a tiny population because it makes perfect economic and political sense. ;)
I’m not sure if I missed something in the article, but is .xyz different from .org, .com etc. or is it just an alternative to .io with better availability of names?
.xyz is no different from .org, .com and I regret making .xyz the focus of my post… Any gTLD is great, as long you stand behind it!
Perhaps, but it still sounds childish and looks like something you’d choose if all other serious options are not available. At least that’s the feel I get and I’m certain a lot of other more casual user do too.
.iowas kind of lucky that it managed to get into the.com,.net,.co.uk, … group of common domain names.Yeah, good point. It must be my recent interactions with the indieweb, but… The internet is supposed to be fun and perhaps, to some degree, childish. For serious stuff, by all means, avoid .xyz, .wtf, .ooo, use .org, .com, .net, .tech, .news, .computer. There’s so much out there, even more meaningful than “input/output” :)
I couldn’t agree with this more. People have lost touch with this attitude.
Sorry to be so cynical, but it’s easy to lose touch with the fun internet when even personal blogs are packed with trackers and advertising and trying to monetize everybody.
Except for some relatively obscure corners, the light hearted and fun internet is dead. At this point, I doubt most people ever even experienced that part of it.
I strongly disagree. Let’s say in 1995 there were 10 websites and all of them were fun and childish. In 2000 maybe there were 10,000 websites and 50 of them were fun and childish. In 2020 there are 10 million websites and 10,000 of them are fun and childish. And I see people calling that a bad thing?!
The internet of the 90s didn’t go away, there’s just more built up around it. You can have that old internet back, just block Facebook and Google and hell even the top million sites. All you have to do is just not visit the sites you don’t like. When I hear people say the old internet is gone what I hear is that they want all websites to be like the old internet. There’s more “old internet” today than there ever has been and it’s easier to find those sites than it ever has been. I don’t go into my favorite ice cream shop and complain about all the fancy new flavors, because I can still buy plain old vanilla. Strawberry shortcake didn’t replace my favorite flavor, it’s all still there. The only difference now is that I have other flavors tempting me, flavors no one is forcing me to buy. Vanilla is still there.
Complaining that the good sites are stuck to the obscure corners ignores the fact that the 90s web was an obscure corner.
I think you misunderstood what I was trying to say. I was on the internet in 1995, and while there are things I miss, like the higher signal to noise ratio and less advertising, I don’t have anything against the modern web and I don’t have any interest in making the modern internet more like the internet of the past.
The point I was making is that the whole mindset of the web has changed, and even if you block millions of sites you’re not going to get the same open and “fun” experience as browsing back in the 90s. The mere fact that you have to put so much effort into it changes the experience.
It’s like trying to relive the 1870s by driving a horse and buggy in traffic on modern streets - maybe you’re getting some idea for what it was like, but it’s a long ways off from what it was really like back then.
I didn’t intend for my comment to be a pointed one, or to blame anyone. It was perhaps directed more at the people who run those blogs that are packed with trackers and advertising.
I recall when there was a minor uproar over
.xxx… at some point one must do away with childish things, no?Why, exactly?
It’s never to late to have a happy childhood. (That’s a quotation, yes. Fine book.)
I guess I’ll just share a link to a scene in a film that your comment made me think of:
“When I was a child, I spoke as a child, I understood as a child, I thought as a child: but when I became a man, I put away childish things.”
This is actually a verse from the Bible:
https://biblehub.com/kjv/1_corinthians/13-11.htm
Is that a film where the man is a thoughtful person or more of a badass? If thoughtful you can make a thoughful argument. If badass, I suppose there isn’t much of an argument to be be made.
I agree. I own both snazz.xyz (because it’s fun, short, and fits well with the theme of my username) and a more professional website with my CV and academic information at [firstname][lastname].com. I think that owning both serves me well at a lower annual cost than a single .io.
A couple thousand people got screwed over several decades ago by the British Government for geopolitical reasons therefore you shouldn’t buy the .io TLD? I don’t think that’s reasonable. .io is a useful de-facto gTLD with explicit tech connotations unlike .xyz, and as stated in the articles linked through by the OP a proportion of its profits are reinvested in internet infrastructure. Some things are worthy of boycotting, but this is not one of them.
There’s a difference between “I urge people to reconsider” and “You’re a moron if you do this”. The author did the former, not the latter.
Everyone is free to boycott what they want.
I agree, the OP is perfectly free to boycott .io if they so choose. And I am perfectly free to say that I think it’s hand-wringing and an over-reaction. On a site like lobste.rs, which is rarely overtly political, a skimming reader might think that there is a good technical reason to not choose .io, which as far as I know is not the case.
I won’t try and convince you otherwise :)
Well….. [1]
Also, the future of the TLD being uncertain due to these geopolitical issues is quite a technical reason not to choose .io [2] (I added an update about this to the post)
[1] https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/ [2] https://www.prolificlondon.co.uk/marketing-tech-news/tech-news/2019/05/future-popular-io-domains-question-over-british-empire-row
That first link was an interesting read, thanks! Good thing I’m too tight to buy .io domains anyway :p
There are technical reasons too: it’s a poorly run registry with bad record of nameserver uptime. The whole thing is held together with chewing gum and gaffer tape. I know this because of the “fun” I had going through ICB’s registrar accreditation process, where I spent most of the time getting them to fix bugs on their side.
Wait, I’ve thought this whole time that lobste.rs was a political wing in Kosovo/Serbia! /s
Those people are still being screwed over, today. Denied their homeland, they are forced to remain stateless. Their buried dead lie in graves untended, their lands appropriated for CIA Black Sites and USAF weapons of mass destruction.
It isn’t a gTLD, its a cock-a-mamey “ccTLD” run for the benefit of the same people who have stolen the Chagossians homeland.
What would be worthy of boycotting, O Sage of the Internet?
I’m pretty sure tech firms have been treating it as essentially a gTLD for quite a while now.
China for atrocities against Uyghur Muslims, or Saudi Arabia for atrocities in Yemen. Nations and entities which have murdered people en-masse instead of just displacing them.
I’m surprised (perhaps disappointed) you don’t think that’s reasonable. I can’t think of many better reasons to boycott something. You say “a couple thousand people” as though that’s a number that should be treated as insignificant.
The suffering of one person is a tragedy, the suffering of “a couple thousand people” is a statistic, right? Considering how shady this whole thing is I think it is completely fair to just vote with your wallet and chose a different TLD at no inconvenience to yourself.
You probably would revise your position if you were one of those couple thousand who had a foreign colonial government stealing your wealth.
Beyond the problematic colonist mindset here, there are actual technical reasons, well documented at this point, and with a little google fu you can find quite a few horror stories.
I don’t like using .io simply because it’s supposed to be a geography-specific domain. It’s abusing the spec to use it as a trendy tech domain, IMO.
Well, there’s .tech, .computer, .systems. So why .io? Just because it means “input/output”? If I make a techy website, why do I need my domain to be associated with “input/output”? Also, few people outside tech will get the .io reference. To others, it’s just confusing.
There’s also the “future of io” issue: https://www.prolificlondon.co.uk/marketing-tech-news/tech-news/2019/05/future-popular-io-domains-question-over-british-empire-row Who knows what will happen if the Mauritian government gets ownership of the TLD.
The problem with long, unusual TLDs like those ones is that they don’t immediately parse as URLs when one reads them - in fact, less technical people may not even realize they are URLs at all (I accept this may be a feature not a bug :p). They also break a lot of field validators. You are to some extent right about non-technical people not associating IO with input/output - I think many consider the domain synonymous with those simple online multiplayer games in the vein of agar.io.
Is there a better source for the claim that .io would pass to the Mauritians if the UK ceded the Chagos islands (which I doubt will happen, but that’s beside the point)? Cynically, I am inclined to think that this will not happen.
On your side of the fence as well. I’d like to see it happen, but… UK giving up a source of money like that?
In the end, it’s risk assessment. If you feel your brand perception will improve by using .io and the chances of .io going “territory only” mode are slim, no one is stopping you.
It’s difficult, but I’m trying to not to judge. What other people do with their domains is their business. I’m really only asking to take these issues into consideration when buying a domain.
This is exactly the kind of libertarian nonsense that seems to plague lobsters these days.
Nothing about his comment in any way pertains to libertarianism or libertarian philosophy.
This is my latest foss project. After discussing ways to make basic pgp operations easy for non-techy people without having to rely on keybase, I made this little web app that replaces keybase’s signature verification functionality in an open source, more privacy-friendly and secure way.
This is a handy resource! I used to use a variety of websites to validate the different aspects of the indieweb on my website. Having it all on one page makes validating easier
I myself haven’t started yet. I installed a theme (WordPress) suggested by them and installed plugins but still didn’t start to do the things. Write about your steps. On your blog or Mastodon. I think I already have followed you.
That’s really well made! Any plans on using this same “real-time multiple roles” concept in a different application or project? Assuming you’re not going after Uber, that is 😉
Thanks! Didn’t think about it yet, web sockets that are used there could be set up in a better way, as far as I’m aware, currently, all users get notified about changes and filter out all unrelated to them messages… Regarding the next project, most probably I’ll make a landing page to help my father sell honey online, he is a beekeeper.
That is a wholesome next project, best of luck! If you decide to open-source it as well, send us a link here :)
Sure I will!
How old is he? I mean, he’s beekeeping age clearly
he is 75, beekeeping for the last 30 years, usually, he gets up to 500kg per season
Wow! That sounds a lot to me. I know nothing about the economics of bee keeping.
Yes, sounds a lot, considering that he has I think 15 hives. Financially it is not that much, here in Estonia, he can sell it as up to 8EUR/kg which gives ±4KEUR per year
Interesting, I was looking into Ansible, but I might try this as well for comparison.
I have to ask: I look at some of these scripts and wonder if a simple bash script is not shorter and more efficient than running python to install packages and move files around?
Edit: typo
Some of these tools are (semi-)declarative. For instance, in Ansible, you usually define how you want the server to be like, and Ansible goes in to check whether that’s already true. If it is, Ansible does nothing (further). There are also shell commands that just run a shell script on the server, so those are obviously not declarative and get run on every run. But that’s sometimes useful as well.
This makes incremental development of a server using Ansible nice, since you can continuously keep running your whole stack to the server and only the changes get applied. Personally, after getting used to this, I consider the declarative nature to be the most important feature of such a tool.
I’ve sometimes thought that it might be interesting to try a migration model for server maintenance instead. Then you could just dumb down everything to running simple shell scripts, and the system simply keeps books on which server migrations have been run and which not. This obviously only would work if you can trivially start over, since doing reversal migrations all the time would be nasty. And you would need to make sure nobody does manual changes without this system. But you need to make such a restriction anyway in order to properly handle any larger number of systems.
That’s an interesting point, the incremental nature of Ansible. I really need to get experienced with it
I’ve recently switched my website’s design to a light theme and after some getting used to, it does read more comfortably. Even trying programming with light theme again.
Hey, I was just reading your Open Source post (last one) and yes, it looks better now. I use to read your site on MiniFlux