Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

How much effort is worth spending on a "perfect webserver for whonix.org"?

Whonix source code in self-hosted git - #2 by Patrick

What’s the big advantage of a git (or any) server self-hosted by Whonix compared to any git branch in any git repository anywhere or git patch format? And is the extra effort really justified for the maintenance required for that webapp? Maintenance required: initial setup, keeping it updated, backups and restoration testing, archival, troubleshooting if something breaks…

From my experience with other webapps…

  • wordpress blog (updating was messy, kept breaking),
  • discourse forums (hard to resolve update issues, database issues),
  • mediawiki (update issues, database issues),
  • phabrictor (deprecated even though one would thing that’s unlikely given it was in use by at least two major users such as wikipedia and facebook)

…that’s hours and hours of work that are spend on a perfect webserver rather than on software development.

More generally… Not just about git… Any webapp or server setup… The issue is that the demands from a small vocal minority of highly technical users lead a lot of project resources being redirected that aren’t really beneficial for the core of Whonix which is the actual downloadable software or source code. Such as:

  • all software on the server must only be using Freedom Software
  • ideally the server would be self-hosted in a developer’s private home (not hosted at a server provider)
  • JavaScript free webapp or at least basic non-JavaScript support
  • the webapp must not have anti-features such as cookies, tracking
  • no loading of third-party content (such as fonts, CSS, scripts, let alone analytics)
  • no use of a CDN
  • the webapp must have perfect security
  • the webapp must be under constant development and be constantly updated by upstream and downstream

These ideal-world requirements are commendable but realistically I wonder these have hold back too much the software development of Whonix. By comparison, the official Tor Project forums forums.torproject.net, by an organisation with much more funding, multiple full time staff, are currently cloud hosted by a third party, discourse which includes IP logging. Source: [tor-talk] torproject forum hosted by 3rd party?

related:
Placing Trust in Whonix ™ chapter Trusting the_Whonix Website in Whonix wiki

2 Likes

From my experience with other webapps…

  • wordpress blog (updating was messy, kept breaking),
  • discourse forums (hard to resolve update issues, database issues),
  • mediawiki (update issues, database issues),
  • phabrictor (deprecated even though one would thing that’s unlikely given it was in use by at least two major users such as wikipedia and facebook)

…that’s hours and hours of work that are spend on a perfect webserver rather than on software development.

More generally… Not just about git… Any webapp or server setup… The issue is that the demands from a small vocal minority of highly technical users lead a lot of project resources being redirected that aren’t really beneficial for the core of Whonix which is the actual downloadable software or source code. Such as:

  • all software on the server must only be using Freedom Software
  • ideally the server would be self-hosted in a developer’s private home (not hosted at a server provider)
  • JavaScript free webapp or at least basic non-JavaScript support
  • the webapp must not have anti-features such as cookies, tracking
  • no loading of third-party content (such as fonts, CSS, scripts, let alone analytics)
  • no use of a CDN
  • the webapp must have perfect security
  • the webapp must be under constant development and be constantly updated by upstream and downstream

These ideal-world requirements are commendable but realistically I wonder these have hold back too much the software development of Whonix. By comparison, the official Tor Project forums forums.torproject.net, by an organisation with much more funding, multiple full time staff, are currently cloud hosted by a third party, discourse which includes IP logging. Source: [tor-talk] torproject forum hosted by 3rd party?

Sad to see TPO doing that, but I see that discourse must be much more
difficult to self-host than a git server, or so I expect.
It is difficult for me to argue again on my point because I don’t want
to damage development by spending more time during maintenance of hosted
servers than development.
If the burden of maintenance is worth the organization of issues, then
maybe?

related:
Placing Trust in Whonix ™ chapter Trusting the_Whonix Website in Whonix wiki

Not sure I would be trusting more the infrastructure if still doing
signature verification.

1 Like

No. It is same amount of effort, for me at least.

The discourse instance I hosted for 3 years and cost me about 50-100 hours of time.

These are wish lists, not requirements. It doesnt have to be all or nothing :man_shrugging:

Again, i could go either way. I want to make the project better and dont care about my ego. Of course i think creating a webserver ( not whonix owned) on gitfoss.org is a good idea, i bought the domain. But my ego is less important than whonix continuing to succeed for many more years

1 Like

You could donate $100,000 every year for them to have a full time experienced SysAdmin in charge of the task lol

1 Like

For what its worth @Patrick, while the phabircator deprecation is certainly annoying, it is not a 100% lost effort. There is an existing script to migrate issues in from phabricator to gitea, if we choose to go that path :slight_smile:

1 Like

Another great point I wish I had in mind when writing above bullet points. Self-hosting doesn’t have good incentive structures.

Even security experts don’t claim that they can absolutely secure a webserver / webapps form ever getting hacked. Usually the more of a security expert they are, the more modest they are, the more careful they are to avoid making bold claims of something being secure.

If that would even be enough money to avoid full database losses every other year.

I disagree in some regards, at least when open source tools are used. It swings the pendulum :slight_smile:

Perhaps an “almost invisible” effort, but using a tool like gitea would give more power to the project gitea

Again, not saying we should self host at this juncture in time, but I feel the need to give my opinion anyway

If you fuck up at your job and get your company hacked, you get a new job and say it “wasn’t a good culture fit”

If you fuck up and get your open source project hacked, the whole world gets to see exactly who did it LOL

1 Like