I’ve been an engineer for about two decades now and pretty much everyone I’ve ever worked with has expressed that they would never work for Facebook, betting companies or defense companies.
Amazon is probably next on the shit list and then Google, but each to a much lesser extent than the ones before. Working for Google still holds a level of prestige for some people.
No need to get aggravated, I completely grasp it, you’ve possibly misunderstood or not entirely read my comment if that’s your takeaway.
I’m not talking about server code specifically, I’m going through the stages between the source code repo(s) and what your browser ends up receiving when you request a site.
NodeJS is relevant here because it’s what runs nearly all major JS bundlers (webpack, vite, etc), which are what produces the code that ultimately runs in the browser for most websites you use. Essentially in a mathematical sense, the full set of dependencies for that process are a part of the input to the function that outputs the JS bundle(s).
I’m not really sure what you mean with that last part, really, anyone hosting something on the internet has to care about that stuff, not just businesses. GDPR can target individuals just as easily as for-profit companies, it’s about the safety of the data, not who has it—I’m assuming you would not want to go personally bankrupt due to a deliberate neglect of security? Similarly, if you have a website that doesn’t hit the performance NFRs that search engines set, no one will ever find it in search results because it’ll be down on page 100. You will not be visiting websites which don’t care about this stuff.
Either way, all of that is wider reasoning for the main point which we’re getting away from a bit, so I’ll try to summarise as best I can:
Basically unless you intend your idea to only work on entirely open source websites (which comprise a tiny percentage of the web), you’re going to have to contend with these JS bundles, which as I’ve gone into, is basically an insurmountable task due to not having the complete set of inputs.
If you do only intend it to work with those completely open source websites, then crack on, I guess. There’s still what looks to me like a crazy amount of things to figure out in order to create a filter that won’t be able to work with nearly all web traffic, but if that’s still worth it to you, then don’t let me convince you otherwise.
Edit: typo
First I don’t even grasp what a “service owner” is.
The people who build & run the software & servers that serve the website, who amongst other things have an interest in keeping the service available, secure, performant, etc.
Particularly with laws like GDPR, these services owners are motivated to be as secure as practically possible otherwise they could receive a bankrupting fine should they end up leaking someone’s data. You’ll never be able to convince anyone to lower the security of their threat model for that reason alone, before anything else.
there are already a bunch of app (web, android) that are open-source and secured.
The code published and the code running on a server cannot be treated as equivalent for several reasons, but here’s two big ones:
Firstly, there’s the similar issue as with compiled binaries in other languages: it’s tough (or impossible) to verify that the code published is the same code that’s running. Secondly the bundled and minified versions of websites are rarely published anyway, at most you get the constituent code and a dependency list for something completely open source. This is the bit I referred to before as trying to untoast bread, the browser gets a bundle that can’t practically be reversed back into that list of parts and dependencies in a general purpose way. You’d need the whole picture to be able to do any kind of filtering here.
who is the attacker here?
The only possible attacker is not the website itself (though it’s a lot more limited if the site implements CSP & SRI, as mentioned in my other comment). XSS is a whole category of attacks which leverage an otherwise trusted site to do something malicious, this is one of the main reasons you would run something like noscript.
There have also been several instances in recent years of people contributing to (or outright taking over) previously trusted open source projects and sneaking in something malicious. This then gets executed and/or bundled during development in anything that uses it and updates to the compromised version before people find the vulnerability.
Finally there are network level attacks which thankfully are a lot less common these days due to HTTPS adoption (and to be a broken record, CSP & SRI), but if you happen to use public WiFi, there’s a whole heap of ways a malicious actor can mess with what your browser ultimately loads.
Maybe I have missed your point, but based on how I’ve understood what you’ve described I think you may have also missed mine, I was more pointing out how the practicalities prevent such a tool from being possible from a few perspectives. I lead with security just because that would be the deal breaker for many service owners, it’s simply infosec best practice to not leak the information such a tool would require.
Your filtering idea would require cooperation from those service owners to change what they’re currently doing, right?
Perhaps I’ve completely got the wrong end of the stick with what you’re suggesting though, happy to be corrected
Publishing lock files of running services would be a big security risk for the service owner as it gives an easily parsable way for an attacker to check if your bundle includes any package versions with vulnerabilities.
You then also have tools like snyk used by many big organisations which has the ability to patch dependencies before the actual dependency published the patch themselves. This would lead to a version not corresponding with the bundled code.
In fact given bundling is pretty ubiquitous, but infinitely configurable at this point, even validating the integrity of the bundle Vs the versions in a lock file is a problem that will be hard to achieve. It’s kinda like wanting to untoast bread.
Also given many JS projects have a lock file which describes both the deficiencies of the front end bundle, server & build tooling, there is a risk of leaking information about that too (it’s best practice to make as little as possible about your server configuration publicly viewable)
IMO, the solution to this problem today is to use a modern, updated browser that sandboxes execution, run a adblocker with appropriate trusted blocklists for what you’re avoiding, try to only use sites you trust & if you can, push web developers to use CSP & SRI to prevent malicious actors from injecting code into their sites without them knowing. Many sites already take advantage of these features, so if you trust the owner, you should be able to trust the code running on the page. If you don’t trust the owner with client side JS, you probably shouldn’t trust them with whatever they’re running on the server side too.
I guess out of fear that we get another gitlab situation, where the open source offering has a load of key features eventually kept behind a paywall
Independent of corporate interests
.
Picks one of the few languages created due to corporate interests
This will die on the vine
That and anecdotally, these high capacity SD cards seem to quickly reach the temperature of the sun during any kind of sustained large file transfer
What are you on about?
Ryzen 3xxx series processors are still being sold new today
The oldest zen processors are only just over half a decade old—a consumer CPU should be expected to be in service at least double that time.
Funnily enough, I had something exactly like this set up with home assistant. You can add Ookla and fast.com speed tests as devices, which will run the tests periodically, and then I had an automation set up to send me a message via telegram whenever speed was less than half of what it was supposed to be
I like sync and haven’t felt the need to try anything else since I first joined Lemmy.
I briefly used Jerboa & connect but they just weren’t as polished—things have very likely moved on, but I’m happy where I am so I’ve not checked
That’s the manual setup for use cases like on a server or whatever (a common place where you would need port forwarding)
VPN at all times
Hardware transcoding on SBCs is generally not fantastic, you’re gonna want to look for one that has VAAPI/VDPAU support or you’re gonna be looking at 100% CPU for half a day to transcode a film, which will make your other services effectively unavailable at the time.
I used to run my Plex server on a Pi4 with 4GB of ram and it basically crashed any time transcoding kicked in, I swapped to an intel NUC so I could get QuickSync for transcoding.
I’ll point out though, every SBC you’ve listed has usb, which is all you need for an external disk. If you’re worried about size, I’ve got a 5tb external drive that’s about 5cm², which is basically the footprint of any SBC you could use in this scenario
Okay fair play, if you’re doing this super short term it could make sense. Though I question what SBC you’re using that’s capable of transcoding video but not the ability to plug in an external drive.
$12/m for your 2TB of usage would make sense for maybe 5 months before it would be cheaper to buy an external disk—and of course that storage is gone once that time is up, Vs a hard disk which will probably last you a decade or so
I’m not sure about transparently, that’s more in the tdarr wheelhouse I’d say. You’d dump the files into a monitored folder and it will replace it with a version transcoded to your specification.
Transcoding video takes a fair bit of time and energy too FWIW, so you’re going to need enough local storage to handle both the full size and smaller one.
I have to question the idea though, cloud storage is always more expensive than local for anything remotely non-temporary, and transcoding a load of video all the time is going to increase your energy bills. If you have any kind of internet bandwidth restrictions that’s gonna factor in too.
I’d say it would be better to save up for a cheap external hard drive to store your video on. For a year’s subscription to a cloud storage service that would provide enough space for a media library, you could probably get twice the amount of storage forever.
Unless you’ve got raw uncompressed video, any kind of transparent compression like you describe is only going to cost you in energy bills for no benefit. Most video is already compressed with specialised video compression as part of the file format, you can’t keep compressing stuff and getting smaller files.
The alternative is a lossy compression, which you could automate with some scripts or a transcoding tool like tdarr. This would reduce the quality of the video in order to reduce the file size
Firstly, thanks for the detailed response!
It’s promising to hear that Ableton has a lot of support from the community. I suppose given the versioning issues something like nix could be used to manage the wine versioning more deliberately.
I’ve got a focusrite interface, so if your latency is low, I imagine I’d probably get the same experience. I know I’ll probably lose the iPad remote control features too as I think that’s baked into the windows driver.
Given I do have a pretty extensive VST collection, it’s a shame, but you’re probably right. Do you know how heavily developed Yabridge is? Do you think the industry moving slowly to CLAP plugins might improve this situation?
Maybe dual-boot is a better option to start with, I guess that way if I feel like trying to get it working I can give it a go.
Do you have any plugins that use iLok? Either software or a hardware key
Plex is probably the easiest and most convenient, I think jellyfin is viable too, but I don’t use it.
If you’ve got the money, Roon or Audirvana are the gold standard of self hosted music
If you want something similar, but free, look into things like volumio or subsonic based solutions.