degrowth issueshttps://lab.allmende.io/groups/degrowth/-/issues2024-02-22T15:54:38Zhttps://lab.allmende.io/degrowth/degrowth.social/-/issues/2Object storage for user uploads2024-02-22T15:54:38Zjon ryala@allmende.ioObject storage for user uploadsToday's second [security release v4.2.7](https://github.com/mastodon/mastodon/releases/tag/v4.2.7) of Mastodon this week contains a fix for a yet undisclosed vulnerability with the advisory [GHSA-jhrq-qvrm-qr36](https://github.com/mastod...Today's second [security release v4.2.7](https://github.com/mastodon/mastodon/releases/tag/v4.2.7) of Mastodon this week contains a fix for a yet undisclosed vulnerability with the advisory [GHSA-jhrq-qvrm-qr36](https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36) to be released later during the day.
Word has it, that the exploit appears to be related to hosting user generated content, such as media and other files, on the same domain as the Mastodon instance.
> The latest Mastodon security vuln (GHSA-jhrq-qvrm-qr36) appears to be an exploit that can be used against instances that host their media on the same domain as the Mastodon instance itself
>
> Reminder: It is best practice to put user uploaded media on a *different hostname* - ideally, a separate domain name entirely, but if not possible a subdomain will suffice.
>
> (Note: Even if you do this, you still need to upgrade; the exploit is against remote instances0
>
> https://akko.erincandescent.net/notice/AewHJjaza0PayW7x9U
–
- [x] Minio is configured to serve buckets also with subdomain addressing (incl. `dns-01` wildcard certificate for `*.lake.ecobytes.net`), a dependency for the example Nginx cache.
- [x] The Minio console is served from a different subdomain than the namespace of the S3 endpoint, `console.minio.ecobytes.net`, to avoid collision with bucket names.
- [x] User account, bucket, policy and anonymous read policy without directory listing have been provisioned to Minio.
- [x] An Nginx S3 cache container has been added to the Mastodon setup to serve uploaded assets from `humus.degrowth.social`
- [x] It transparently caches already uploaded media from either local file system storage or the S3 bucket.
- [x] Mastodon is configured to use S3 and has the S3 alias host configured.
- [x] The working setup has been tested and validated.
---
References:
* [:page_facing_up: Configuring object storage - Mastodon documentation](https://docs.joinmastodon.org/admin/optional/object-storage/#minio)
* [:page_facing_up: Proxying object storage through nginx - Mastodon documentation](https://docs.joinmastodon.org/admin/optional/object-storage-proxy/)
- [:newspaper: Switching Mastodon from Scaleway S3 to self-hosted Minio S3 media storage](https://thomas-leister.de/en/switching-mastodon-from-scaleway-to-selfhosted-minio-s3/)
- [:newspaper: Mastodon: Adding S3 based cloud storage to your instance](https://thomas-leister.de/en/mastodon-s3-media-storage/)
* [:page_facing_up: Object Management — MinIO Object Storage for Linux](https://min.io/docs/minio/linux/administration/object-management.html)
* [:page_facing_up: S3 - Configuring your environment - Mastodon documentation](https://docs.joinmastodon.org/admin/config/#s3)
---
Follow up:
- [ ] Investigate hosting of static assets from a CDN on a separate (second-level) domain.
> You can serve static assets (logos, emojis, CSS, JS, etc) from a separate host, like a CDN (Content Delivery Network) as it can decrease loading times for your users.
>
> [:page_facing_up: Configuring your environment - Mastodon documentation](https://docs.joinmastodon.org/admin/config/#cdn)
- [ ] Investigate hosting user uploads from a separate second-level domain, due to eventual cookie stealing from the subdomain.
> Advantages of a separate domain entirely include “if someone manages to upload some HTML the Javascript can’t just steal cookies
>
> https://akko.erincandescent.net/notice/AewHrv3zRvgEO4zX2e
- [ ] Transfer existing media (~ 400 GiB) into Minio, when it has been migrated into a 3-node cluster, and remove local file system contents after validation.
[:page_facing_up: Migrate from Gateway or Filesystem Mode — MinIO Object Storage for Container](https://min.io/docs/minio/container/operations/install-deploy-manage/migrate-fs-gateway.html)jon ryala@allmende.iojon ryala@allmende.iohttps://lab.allmende.io/degrowth/platform/-/issues/30Forms : LiberaForms deployment2024-02-15T01:56:15Zjon ryala@allmende.ioForms : LiberaForms deployment> As a community facilitator, I need to do semi-structured surveys with certain audiences, in order to collect data points about enquired subjects.
Currently, the IDN collects memberships in two forms that are embedded into the website:...> As a community facilitator, I need to do semi-structured surveys with certain audiences, in order to collect data points about enquired subjects.
Currently, the IDN collects memberships in two forms that are embedded into the website:
* [Group & Organisation Membership | International Degrowth Network](https://degrowth.net/join-us/group-membership/)
* [my.liberaforms.org](https://my.liberaforms.org/embed/idn-group-membership)
* [Individual Membership | International Degrowth Network](https://degrowth.net/join-us/individual-membership/)
* [my.liberaforms.org](https://my.liberaforms.org/embed/idn-individual-membership)
They use a public deployment of LiberaForms at `my.liberaforms.org`, which is restricted to 250 answers in the free plan.
To support more sign ups, we would like to rehost the application and the collected data in a self-managed environment.
* [Allow container-native setup of LiberaForms (#141) · Issues · LiberaForms / server · GitLab](https://gitlab.com/liberaforms/liberaforms/-/issues/141)
–
- [ ] LiberaForms is deployed on `forms.degrowth.net`jon ryala@allmende.iojon ryala@allmende.iohttps://lab.allmende.io/degrowth/platform/-/issues/29Next : collective collection of use cases and implementations2024-03-06T01:07:59Zjon ryala@allmende.ioNext : collective collection of use cases and implementations> As a platform community, I need to know the maturity of the offered services, in order to determine how much and which data I want to succumb to them.
At Allmende.io it has proven useful to collect user stories and demands in a semi-s...> As a platform community, I need to know the maturity of the offered services, in order to determine how much and which data I want to succumb to them.
At Allmende.io it has proven useful to collect user stories and demands in a semi-structured way at https://next.allmende.io/
Here we'd like to replicate that pattern and offer a specific location where implemented user stories can be discussed and displayed.
While Next Allmende made good use of [fider](https://github.com/getfider/fider), it seems useful to give people more indication about what is available and in which state. Why the [astuto](https://github.com/astuto/astuto) feature to display states in a Kanban layout seems favourable.
–
- [ ] There is an astuto instance at `next.degrowth.net`, which is integrated with Loginjon ryala@allmende.iojon ryala@allmende.iohttps://lab.allmende.io/degrowth/platform/-/issues/27Writer : experimental deployment (30 days evaluation)2024-02-07T21:02:31Zjon ryala@allmende.ioWriter : experimental deployment (30 days evaluation)> As a Degrowth cloud platform user, I need to collaborate on documents with tracking changes and commented annotations, in order to allow for structured and on the point contributions.
After years of experimentation and effort put into...> As a Degrowth cloud platform user, I need to collaborate on documents with tracking changes and commented annotations, in order to allow for structured and on the point contributions.
After years of experimentation and effort put into a demo instance of FidusWriter ([writer.allmende.io](https://writer.allmende.io/)), we have now found a configuration that doesn't crash randomly anymore on its own, and are able to test drive it in praxis.
It is an internal platform for academic writing, that does not offer any means of public sharing and thus provides privacy by design. It has broad support for common data formats and citation standards. Multiple documents can also be combined into books.
* [Fidus Writer | a semantic word processor for academics](https://www.fiduswriter.org/)
–
- [ ] `writer.degrowth.net` offers the private, academic text production environment FidusWriter integrated with Degrowth Login.jon ryala@allmende.iojon ryala@allmende.iohttps://lab.allmende.io/degrowth/platform/-/issues/26Data : experimental deployment (30 days evaluation)2024-03-06T02:07:06Zjon ryala@allmende.ioData : experimental deployment (30 days evaluation)> As a Degrowth cloud platform user, I need to collaborate on shared datasets, in order to inform my academic writing with empirical data.
Experiments with so-called low code platforms have shown, that they can provide suitable working ...> As a Degrowth cloud platform user, I need to collaborate on shared datasets, in order to inform my academic writing with empirical data.
Experiments with so-called low code platforms have shown, that they can provide suitable working environments for dealing with medium amounts of data. Here we propose the Grist platform as a collaborative spreadsheet for curation of structured data sets.
* [Grist | The Evolution of Spreadsheets](https://www.getgrist.com/)
Prior art:
* [Degrowth Database - Google Tabellen](https://docs.google.com/spreadsheets/d/18Z7kTs0smhOU9S3DyGNJ_MBQeu3XKW2qdxa3unOEn6I/edit#gid=0)
* [Digital civic interfaces and infrastructure organisations](https://data.ecobytes.net/o/docs/3HMfMMkgdxSu/Digital-civic-interfaces-and-infrastructure-organisations/p/1)
- Integrates with Outline #25
–
- [ ] `data.degrowth.net` provides a collaborative low-code table for curation of databases, based on Grist.https://lab.allmende.io/degrowth/platform/-/issues/25Docs : experimental deployment (30 days evaluation)2024-02-07T21:10:06Zjon ryala@allmende.ioDocs : experimental deployment (30 days evaluation)> As a Degrowth cloud platform user, I need to collaborate on documents with tracking changes and commented annotations, in order to allow for structured and on the point contributions.
We have previously shown with a test document, tha...> As a Degrowth cloud platform user, I need to collaborate on documents with tracking changes and commented annotations, in order to allow for structured and on the point contributions.
We have previously shown with a test document, that the Outline web platform (BSL, free for not-for-profits) can provide aesthetic and contemporary text collaboration patterns. It is time for us to prove this in praxis.
* [Outline – Team knowledge base & wiki](https://www.getoutline.com/)
Demo:
* [Conference Peer Review - WikiWiki](https://wikiwiki.allmende.io/s/be7dd180-87e6-4b7f-aaa8-5c17581cd084)
Further context:
- Integrates with Grist
- Answers to similar use cases as the Writer #27, but additionally allows public sharing of documents.
–
- [ ] `docs.degrowth.net` holds an Outline deployment called "Degrowth Docs" that is integrated with Degrowth Login.https://lab.allmende.io/degrowth/platform/-/issues/3Cloud : Stabilisation2024-02-26T04:35:29Zjon ryala@allmende.ioCloud : StabilisationThere are a few steps that we can take to further stabilise the Nextcloud:
- [x] Conversion from MariaDB to PostgreSQL https://lab.allmende.io/ecobytes/journal/-/merge_requests/22
- [x] Enable full-text search
- [ ] Enable a push notifi...There are a few steps that we can take to further stabilise the Nextcloud:
- [x] Conversion from MariaDB to PostgreSQL https://lab.allmende.io/ecobytes/journal/-/merge_requests/22
- [x] Enable full-text search
- [ ] Enable a push notification daemon
- [ ] Optimise the database with
- high availability
- [ ] connection pooling
for load balancing of network connections to the database cluster
<details><summary>References</summary>
* [Full text search - Apps - App Store - Nextcloud](https://apps.nextcloud.com/apps/fulltextsearch)
* [nextcloud/fulltextsearch: 🔍 Core of the full-text search framework for Nextcloud](https://github.com/nextcloud/fulltextsearch)
* [Nextcloud’s push notifications for iOS and Android - Nextcloud](https://nextcloud.com/blog/nextclouds-push-notifications-for-ios-and-android/)
* [nextcloud/notify\_push: Update notifications for nextcloud clients](https://github.com/nextcloud/notify_push)
* [PostgreSQL: Documentation: 16: Chapter 27. High Availability, Load Balancing, and Replication](https://www.postgresql.org/docs/current/high-availability.html)
* [Improve database performance with connection pooling - Stack Overflow](https://stackoverflow.blog/2020/10/14/improve-database-performance-with-connection-pooling/)
</details>jon ryala@allmende.iojon ryala@allmende.iohttps://lab.allmende.io/degrowth/platform/-/issues/2Cloud : Security audit2024-02-07T19:06:50Zjon ryala@allmende.ioCloud : Security auditWe need an audit
We need a security audit of the security of Degrowth Cloud.
- Users
- Group membership
- Group folders
- Shared items
- Calendars
- Shared calendarsWe need an audit
We need a security audit of the security of Degrowth Cloud.
- Users
- Group membership
- Group folders
- Shared items
- Calendars
- Shared calendarshttps://lab.allmende.io/degrowth/hub.degrowth.net/-/issues/6Rename to releais when released2024-01-01T18:35:27Zjon ryala@allmende.ioRename to releais when releasedhttps://lab.allmende.io/degrowth/compose-ghost/-/issues/1Breaking changes from v3 to v42024-01-01T18:23:07Zjon ryala@allmende.ioBreaking changes from v3 to v4Ghost v3 admin interfaces on candecreix.degrowth.net, housing.degrowth.net and ontgroei.degrowth.net ask for upgrade to the latest v5 series. The upgrade from v3 to v4 included a breaking change regarding the database.
The support for S...Ghost v3 admin interfaces on candecreix.degrowth.net, housing.degrowth.net and ontgroei.degrowth.net ask for upgrade to the latest v5 series. The upgrade from v3 to v4 included a breaking change regarding the database.
The support for SQLite, which was more than enough for low traffic sites, is deprecated and the service now requires MySQL. The migration path is outlined as a full export and reimport.
- [ ] The sites are migrated to a supported Ghost version.
- [ ] candecreix.degrowth.net
- [ ] housing.degrowth.net
- [ ] ontgroei.degrowth.nethttps://lab.allmende.io/degrowth/hub.degrowth.net/-/issues/3Allow to load the site from http2023-12-10T20:13:46Zjon ryala@allmende.ioAllow to load the site from httpOut of purity, we want to support the HTTP protocol, the protocol of the web, and because this does not contain sensitive information.
Currently the site hard-codes the scheme in URLs for some assets, but not for all.
![grafik](/upload...Out of purity, we want to support the HTTP protocol, the protocol of the web, and because this does not contain sensitive information.
Currently the site hard-codes the scheme in URLs for some assets, but not for all.
![grafik](/uploads/f2907f45fc6aea3baa252c0cf6a9504a/grafik.png)
–
- [ ] The site is built in a way that allows to run it without HTTP to HTTPS redirect.https://lab.allmende.io/degrowth/platform/-/issues/8Agora : Attached files disappear2024-03-03T14:29:43ZGualterAgora : Attached files disappearAn [uploaded PDF](https://agora.degrowth.net/uploads/default/original/1X/1ad0a4361df45832e23f6f95d12efb8504f05f7e.pdf) made in a [forum topic](https://agora.degrowth.net/t/article/143/4) became suddenly unavailable. I have tried myself t...An [uploaded PDF](https://agora.degrowth.net/uploads/default/original/1X/1ad0a4361df45832e23f6f95d12efb8504f05f7e.pdf) made in a [forum topic](https://agora.degrowth.net/t/article/143/4) became suddenly unavailable. I have tried myself to open this a few days ago and it was still there. It may be that data is somehow not being preserved on the agora, or that links get broken via some jobs?jon ryala@allmende.iojon ryala@allmende.io2024-03-31https://lab.allmende.io/degrowth/hub.degrowth.net/-/issues/5Reference to Source Code2023-12-14T14:32:56Zjon ryala@allmende.ioReference to Source CodeCurrently it seems the page is ineditable. Yet we have the sources here. We can give a hint to their location somewhere near the footer, or within the degrowth.net#18.Currently it seems the page is ineditable. Yet we have the sources here. We can give a hint to their location somewhere near the footer, or within the degrowth.net#18.https://lab.allmende.io/degrowth/hub.degrowth.net/-/issues/4Credits2023-12-14T14:32:46Zjon ryala@allmende.ioCreditsWe need to drill down all third party contributions that we made use of, and their licences.We need to drill down all third party contributions that we made use of, and their licences.jon ryala@allmende.iojon ryala@allmende.io