Show newer

@nasser I use object storage for this. I've been using Backblaze for my password manager for like 7+ years and IDK if they have billed me 1$ yet. I just give the backblaze credential out publicly on pwm.sequentialread.com. I've never had any issues with that. The token can PUT and GET but not delete or list.

-----

For realtime stuff, my favorite has been HTTP/2 + Server Sent Events. No limit on number of client -> server event sends (each one is a POST request in HTTP/2) and no WebSocket-related-protocol-negotiation issues.

The client-side JavaScript is very simple and only uses built-in browser APIs (EventSource + fetch)

I've always implemented the backend from scratch, IDK if there's a simple "broadcast" SSE server you could just download and run.

Here's an example implementation with python-flask as the server:

github.com/pingnova/depottextl

github.com/pingnova/depottextl

Here's an example in Go:

git.sequentialread.com/forest/

It looks like tusky has a bug where the attached media images don't "wrap", they go off the right of the display and I can't click on them to add alt text. So I can only add three images at once.

Show thread

Even tho this board is very large and has big components, it still felt cramped and I had to clean up my solder joints multiple times to make sure I didn't have any short circuits.

Show thread

Bonavita electric kettle repair -- the first component level board repair I ever completed

@dumpsterqueer

I like your approach of sticking w/ jpeg and using webp for transparent images 👍

It can be slightly annoying to download an image and then realize whatever image editing program can't open it.

I like to use avif for big highly compressed photos on the web, I think it does noticeability better than webp. The background on layerze.ro is only a few KB. But for thumbnails I doubt the difference between jpg and anything else would be worth the fuss.

@j3s the context stuff should not be required afaik unless theres something in a library you use which requires a context passed to it.

Setting the timeout on the http client should be all you need.

Modifying the default http client is slightly frowned upon in programs that have dependencies and do a lot of stuff... But vore is simple enough its fine. Otherwise you can create your own http client and use that one instead of the default.

@j3s classic golang infinite timeout by default right ? 🫠

@gabek please hold while I get my financial shit together again... Then you can send them my way

@zens@merveilles.town @aynish I should clarify, I mean specifically for highly interactive / dynamic web apps like a mastodon client, something that behave more like a desktop/mobile app. For everything else I agree the "fit it in one file less than 12kb" approach is :praxis_100:

@zens@merveilles.town @aynish

Yeah this is all too real, the "solution to problem caused by previous solution" pattern of tech. Its nice to get off the treadmill. For example if I make a small web app w/ preact and parcel, it will be like 7kb to 14kb unminified/uncompressed... But as soon as I wanna display a legible stacktrace to the user when an error occurs, I have install the 'sourcemapped-stacktrace' package and oops.. bundle.js is ~100kb now.

Theoretically possible to make it load that part after the page we care about loads, but now we're loading error handler separately and **after** everything else loads, and we need fallbacks, and, and, and, it never ends.

Idk if there is any ideal solution to this. Web dev is just hard.

@zens@merveilles.town react is not the only game in town for this kind of strictly enforced code vs data separation, but its definitely a popular example.

In vanilla js, one would simply stick to document.createElement and element.textContent and everything should be fine.

Tools like htmx fundamentally don't do this, they load the HTML from the server and execute it as code, so the server is responsible for making sure its templating is clean.

Its harder to be sure its right without access to the actual DOM implementation that the browser uses, google search had an xss that was caused by differences between two different html parsers/serializers, the one they used on the server vs the one they used on the client side.

@zens@merveilles.town not exactly. React doesn't deal with template or html strings at all at runtime, it compiles to "hyperscript", aka, 1000s of "document.createElement()"s in a trenchcoat. And the hyperscript it generates is always fundamentally xss-proof unless you use the " danger" functions.

Other frameworks like angular 1.4 that used string templates were never fundamentally xss-proof... They were like input sanitizers, so it was always a cat and mouse game between attacker and defender.

There is a fundamental difference between trying to sanitize inputs vs explicit separation of code vs data. Similar to the difference between parameterized SQL queries and special "SQL template" tools that would try to sanitize inputs. There was a similar cat and mouse game w/ those.

@zens@merveilles.town I think the ppl saying "Dev experience" actually mean "corpo manager experience".

The frameworks do have benefits; they allow us to shed legacy and rename / deprecate things that have been named wrong for decades. For example, in react, `element.innerHTML` was renamed to `dangerouslySetInnerHTML`. Honestly this is the single best feature of react.

None of this matters if you are just trying to make a single user web tool or a blog. But if you're a corporate manager and you want to throw whatever programmers you can manage to retain at a problem, react is the obvious choice. Chances are you arent gonna get the budget it would take to hire ppl who have the 2-5 years of in-depth web platform experience that it seems to take to be able to really do complex web apps in vanilla js without accidentally creating arbitrary code execution from user-provided content.

I've helped a few folks with their first frontend projects outside of work, and I've found trivial xss every single time.

Yes there are tons of ways to mitigate xss, but none of them really shut the door on it with an ultimate eternal sealing spell like react does.

@vladh Probably anything you can do to help people avoid buying a new computer would have much more impact than changes focused on reducing the CPU consumption of software

@zens@merveilles.town I've heard this take a lot too, that usability is inherently exploitative in some way. That ez to use software is necessarily going to be serving a purpose other than offering utility to the user.

IMO its one of those things that is obviously not true, but might as well be true in the world that we live in.

I think its more accurate to say that software development is difficult and expensive, but some people manage to do it as a hobby or for the public good. HOWEVER, software development *including usability testing* is at least 10X MORE expensive, and practically no one has ever managed to come up with the scratch to do it outside of a commercial context. So all the effort tends to go into making it intuitive to buy loot boxes

@hp

> How do you give a novice user information like "This violated an SELinux policy"

1. disable SELinux

2. If you want to enable SELinux, you have to make a GUI for it -- you have to actually go into the SELinux source code and add the parts that will enable actual usability. Not to create a shitty error message like "This violated an SELinux policy", but to create an error message that contains the word "because".

------------------------

.. nobody has ever even TRIED to fix it.

Nobody ever tried to fix climate change either... But if we don't fix it, it's all over real quick.

I believe in an interpretation of what we observe about the universe that says that "what we observe is generally what was most likely to happen". aka "many worlds"

In a thousand years, the only likely outcome that anyone will be around to observe, is the outcome where we got thru it...

I took a heroic dose of psychedelics and saw the Golden Path, so I'm trying to walk it. Succeed or fail, don't care, at least I tried and did my best. Sue me.

Show older
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.