Introducing Indie Web Server 8.0.0: install the server and start serving a secure static personal web site in literally seconds

Video demo + short post: ar.al/2019/04/16/set-up-a-live

I hope it makes your lives easier. This is one of the earlier pieces of the puzzle in the Hypha project.

(It took two weeks and a couple of false starts but Version 8.0.0 introduces native binaries for Linux and macOS. Production use via startup daemons is supported only on Linux platforms with systemd.)

@aral possibly redundant criticism, but: please don't advise people to pipe to bash. It may simplify things and look pretty, but (aside from the obvious security issues / implied trust of the domain) encourages others to "simplify" commands (possibly using sudo) in this manner, and could even result in partial commands being executed and wrecking someone's system. Source: seancassidy.me/dont-pipe-to-yo

Aside from that, great article! I might try this out sometime soon :)

@fennifith Hi James, if you look at the script in question, there’s no chance it can wreck anyone’s system as it does nothing destructive. The latter can also be avoided by prompting before destructive behaviour (always a good idea) and installation shouldn’t be a destructive process in any case. What is an actual issue with the practice is encouraging people to pipe stuff to their systems without checking what it is; hence on the it asks you to. The alternative, here, would destroy usability…

@fennifith … and usability and security are always a trade off: a completely secure system would be one that is utterly unusable. That’s why we use threat models. For the goals of this project and its threat model, this is the most optimised installation process I could come up with. Always open for suggestions about how to make it better (so the bit that comes after “don’t do that” and says “do this instead”).

Hope you find it useful when you try it out.

@aral It is good that you have considered this, but I'd still like to err on the side of caution (one possible option is PGP-signing the installer so it can be verified with keybase or the "web of trust"), and I think the decision of how this is balanced with usability should ultimately be left to the user. Regardless, I would briefly mention this in the article if only to communicate to a new/inexperienced audience that it *might not always be a good idea*, and that this is still something to be wary of.

@aral However, after taking some time to look at the project I see that this is mentioned in the web server's page, and it is true that the script may be simple enough that PGP signing is a bit overkill. Criticizing your work without properly understanding it was on me.

Follow

@fennifith Hey, no worries – always better to err on the side of caution ;)

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!