[HN Gopher] This website is hosted on Bluesky
___________________________________________________________________
This website is hosted on Bluesky
Author : hasheddan
Score : 201 points
Date : 2024-11-24 20:43 UTC (2 hours ago)
(HTM) web link (danielmangum.com)
(TXT) w3m dump (danielmangum.com)
| tr1ll10nb1ll wrote:
| unrelated probably, but it made me realize how I don't really see
| Hugo/Jekyll type websites anymore.
| hipadev23 wrote:
| How do you even know? Don't those both just generate static
| html?
| thesdev wrote:
| It says "Powered by Hugo" at the bottom of the page.
| Zambyte wrote:
| Depending on the theme.
| rahkiin wrote:
| I build my own themes and don't include that either
| mikae1 wrote:
| Same here
| tr1ll10nb1ll wrote:
| Footer. also Jekyll/Hugo sites use generator so you can
| mostly find it in the meta generator tag.
|
| Next.js sites are also a super easy find like this.
| veqq wrote:
| You can trivially remove it e.g.
| `disableHugoGeneratorInject = true` in `config.toml`.
| zahlman wrote:
| I see plenty of _blogs_ generated from Markdown with tools like
| that.
|
| Has something overtaken Hugo and Jekyll in that space?
| dangerlibrary wrote:
| I just use mkdocs for everything.
| teitoklien wrote:
| I build my own with Jinja2 templates my custom python script +
| mistune library to parse markdown to html, and a YAML file in
| similar format to Hugo (the previous generator i used to use)
|
| I found building my own custom one with python3, much more
| freeing in all sorts of interesting ways, I also exposed the
| static site generator with a FastAPI based API to auto build my
| website from my notes, my cooking recipes, database records,
| financials, git commits, etc to build me a private protected
| website (via nginx auth) from anywhere, whether via sending a
| text message to my telegram bot, or running a Shortcuts command
| on my iPad, or just directly running a command from my
| terminal.
|
| It took barely a day to setup, and allows me to run interesting
| custom extensions in all sorts of interesting ways, and builds
| me a personal website curated to my interest, where the primary
| viewer is supposed to be me. and it exposes a public barebones
| website with barely any content for everyone else.
|
| One of these days I think i'll expose more of it to the world.
| simonw wrote:
| I was curious as to the security context this runs in:
| curl -i 'https://porcini.us-east.host.bsky.network/xrpc/com.atpro
| to.sync.getBlob?did=did:plc:j22nebhg6aek3kt2mex5ng7e&cid=bafkreic
| 5fmelmhqoqxfjz2siw5ey43ixwlzg5gvv2pkkz7o25ikepv4zeq'
|
| Here are the headers I got back: x-powered-by:
| Express access-control-allow-origin: * cache-
| control: private vary: Authorization, Accept-Encoding
| ratelimit-limit: 3000 ratelimit-remaining: 2998
| ratelimit-reset: 1732482126 ratelimit-policy: 3000;w=300
| content-length: 268 x-content-type-options: nosniff
| content-security-policy: default-src 'none'; sandbox
| content-type: text/html; charset=utf-8 date: Sun, 24 Nov
| 2024 20:57:24 GMT strict-transport-security: max-
| age=63072000
|
| Presumably that ratelimit is against your IP?
|
| "access-control-allow-origin: *" is interesting - it means you
| can access content hosted in this way using fetch() from
| JavaScript on any web page on any other domain.
|
| "content-security-policy: default-src 'none'; sandbox" is very
| restrictive (which is good) - content hosted here won't be able
| to load additional scripts or images, and the sandbox tag means
| it can't run JavaScript either: https://developer.mozilla.org/en-
| US/docs/Web/HTTP/Headers/Co...
| nightpool wrote:
| is the default-src necessary if you're using sandbox or is it
| redundant?
| benatkin wrote:
| Blocking/allowlisting all JavaScript is the only way [1] to
| have a CSP fully contain an app (no exfiltration) [2] and with
| prefetch that might not be enough. The author is correct at the
| end to suggest using WebAssembly. (Also, it still has the issue
| of clicking links, which can be limited to certain domains or
| even data: by wrapping the untrusted code in an iframe and
| using child-src on the parent of the iframe)
|
| 1:
| https://github.com/w3c/webappsec/issues/656#issuecomment-246...
|
| 2: https://www.w3.org/TR/CSP3/#exfiltration
| bbor wrote:
| Pretty awesome! Convenience link to the fascinating github issue
| linked at the bottom, featuring Bluesky celebrity pfrazee:
| https://github.com/bluesky-social/atproto/issues/523
|
| I have a lot of hope for AT. I'm sure there's lots of smart
| people on HN that have done great things with the Fediverse, but
| this whole paradigm just seems more sustainable + realistic.
| Basically it gives us centralization by default, but with _real_
| decentralized support when you need it / for power users.
| jazzyjackson wrote:
| As far as sustainability goes I'm hoping for a better business
| model than "accept funds from Blockchain Capital" [0], some
| return on investment in mirroring the firehouse. I can muse, a
| Discord alternative where some users pay to host longer videos
| (current limit is 60sec [1]) or Patreon where a relay takes a
| cut in exchange for managing access/decryption keys, or
| Bandcamp or some other kind of social marketplace - as it is
| theres no reason I couldn't do this, it is an open platform
| after all.
|
| [0] https://www.blockchaincapital.com/blog/bluesky-13m-users-
| and...
|
| [1] https://bsky.social/about/blog/09-11-2024-video
| bbor wrote:
| Yeah I'm also worried about profitability, tho not
| particularly concerned about that particular investor,
| personally; all VCs are inherently amoral profit generators.
| They are a "benefit corporation" like anthropic, which gives
| them some leeway to deny shareholder requests in the name of
| public good. Which is nice!
|
| In general I feel like social media is in the perfect spot
| for a huge shakeup as display ads breathe their last breath.
| Even if Google wins/draws out its Display Ads antitrust case
| and successfully implements some new interest-tagging system,
| I think anyone with a calculator and a newspaper subscription
| can read the leaves at this point; people are concerned about
| their data, and the money it generates is peanuts compared to
| more traditional advertising schemes. All of this is of
| course not even mentioning what I think intuitive algorithms
| will do (cynical or no, there's lots of credentialed
| scientists saying that AGI (!!) is within reach in the coming
| decade, if not the coming few year).
|
| All that to say: I feel like they can find a way to make it
| work. Revenue doesn't need to be as high anyway if you a)
| don't have 1000 devs optimizing Display Ad A/B tests all day,
| and b) have the support of the open source community.
| yokem55 wrote:
| If they can get ~100k subs to a $10/mo premium service
| similar to discord nitro, they are probably close to
| breaking even at the current scale and ops methodology.
| Which seems feasible.
| leoc wrote:
| https://bsky.app/profile/leocomerford.bsky.social/post/3l7v6...
| To help the hard of clicking, this time I have pasted it all for
| you:
|
| Leo R. Comerford @leocomerford.bsky.social
|
| Why was it decided not to build on any existing content-
| addressable networking system (IPFS or whatever)?
|
| November 1, 2024 at 12:39 PM
|
| Leo R. Comerford @leocomerford.bsky.social * 23d
|
| (Not implying that this was the wrong decision, it's a genuine
| question.)
|
| dan @danabra.mov * 23d
|
| actually not sure i can answer this well. paging @bnewbold.net or
| maybe @why.bsky.team (who worked on IPFS btw)
|
| dan @danabra.mov * 23d
|
| my guess is that we'd want data hosting to be under direct
| control of the user (same as web hosting) rather than peer-to-
| peer, want instant deletion/edits at the source, need ability to
| move to a different host or take content down, need grouping into
| collections. not sure how much IPFS could adapt
|
| dan @danabra.mov * 23d
|
| we do use some pieces from IPFS through (aside from the actual
| peer to peer mechanism) bryan newbold @bnewbold.net * 4mo
|
| you can basically ignore it, we don't use "IPFS" proper anywhere.
|
| there are strong social connections, and we borrow some tech
| components like CIDs (flexible hash/digest syntax) and DAG-CBOR
| (more-deterministic subset of CBOR, good for signing+hashing)
|
| Bumblefudge @bumblefudge.com * 1d
|
| yeah this is all accurate. bluesky remixed a lot of IPFS
| components and patterns in interesting ways, but the monolithic
| global IPFS network (with chatty DHT distribution) wouldn't make
| sense here, BS made an infinitely more efficient/performant
| distribution of bytes tailored to its use case.
|
| Bumblefudge @bumblefudge.com * 1d
|
| FWIW the IPFS foundation is working on making IPFS more modular
| and easily remixed for future BlueSkies, but it's a big task
| decomposing the monolith and reorienting the documentation and
| ergonomics...
|
| [a second reply to the first skeet:]
|
| Uai @why.bsky.team * 23d
|
| As far as im concerned (and i led ipfs development for a number
| of years) we _are_ using ipfs, just a specific streamlined
| implementation of it. All your repo data can be imported into an
| ipfs node and addressed via cid
|
| Uai @why.bsky.team * 23d
|
| We dont use libp2p because for a consumer mobile app we didnt
| want to futz with nat traversal and connectivity and the like,
| but its definitely possible to build a p2p version of bluesky
| steveklabnik wrote:
| Ah this is super cool! I've been thinking about doing this with
| my website, but was going to leverage the whtwind lexicon, since
| my site is mostly a blog. But for the front page, and anything
| else, I may have wanted something else.
|
| This is more of an unstructured approach, which is cool because
| it needs less specialized tooling. It has the disadvantage of
| being... well, just a blob. No semantic information there.
| pfraze wrote:
| Appreciated Daniel reaching out to the team about this! Hosting
| blobs is one of those things that will inevitably go through
| iterations as we understand the abuse vectors more and more, but
| for now it's really fun to see this kind of usage in action. The
| PDS is meant to be a database host in the same sense that a
| webserver is a website host.
| Retr0id wrote:
| The CSP headers didn't used to be there, which I used to pop an
| alert(), way back. (at the time there was also a MIME whitelist,
| but that whitelist included image/svg+xml, which allows script
| execution)
| la64710 wrote:
| I think the AT protocol is versatile in that users can acces each
| others data once authenticated without any centralized service
| (granted the aggregators and some other things may still be
| centralized).
| jazzyjackson wrote:
| Is there any auth necessary to pull data from a PDS? I know the
| main relay is a public firehouse so I would be surprised, but
| maybe the PDS can put relay servers on an allowlist?
| h4x0rr wrote:
| Anyone else feels like this will be abused for phishing and/or
| malware distribution?
| remram wrote:
| I don't see how. This is a direct link to the author's bluesky
| server (PDS) so of course it is controlled by them.
| benatkin wrote:
| Lack of moderation combined with an offical-sounding domain
| name.
|
| This would have to get the user to follow a link or call a
| phone number or something though. These are plausible. It's
| too bad the content-security-policy can't prevent following
| links.
| lazystar wrote:
| is there any hosting site that isn't? feels like a computing
| law at this point; if you build a hosting site, someone will
| try to use it for malicious purposes.
| EGreg wrote:
| Can't you just make the hosting site features only be for
| real purposes?
|
| Like a link shortener which only forwards to a domain that
| matches the subdomain? Or only for watching videos and
| collecting metrics etc.
| edavis wrote:
| If this sort of thing interests you, check out atfile:
| https://github.com/electricduck/atfile
| skybrian wrote:
| I'm wondering whether a third-party PDS implementation should
| support other protocols as well. Would a combined git/PDS repo
| make any sense at all? (That is, it's a PDS, but it also
| implements enough of git to do read-only access via git
| commands.)
|
| What other protocols would make sense?
| anacrolix wrote:
| https://github.com/anacrolix/btlink
___________________________________________________________________
(page generated 2024-11-24 23:00 UTC)