@aral Oh wow this looks amazing, so happy I actually found out about this I hope to see it develop further. Will be keeping an eye on it and supporting you.
@rustygopher Thank you :)
@dheadshot @rustygopher No, it doesn’t mean that because there is nothing inherent in JS that “isn’t good for privacy” or runs badly on older machines. On the contrary, keeping your secrets on the client (which you control) *requires JS* and requires that all logic runs on the client and that the server (which you don’t control) is as dumb as possible and never has your secrets. Sadly this generic dogma about “JS is dangerous” is perpetuated by folks like the FSF and it’s both wrong and harmful.
@aral Client code is served from its server so to control the client you have to control the server anyway. Keeping most of logic in the client will eventually slow it down, as well as sometimes unnecessarily complicating the setup with APIs and ways to keep in sync, and it gets worse if you get into hybrid rendering to speed things up.
Look at sites like Sourcehut or Invidious, they work fine without JS and are still usable. [1/2]
@aral I'm not saying that JS is true devil but making your site break without JS is bad. For example, some users only have access to text environment (no GUI) and JS won't work in text-based browsers like lynx, w3m and friends.
@yyp And that’s fine. Those folks will not be able to use the Small Web. Every system has minimum requirements. The ones for the Small Web may not work for Richard Stallman but they are perfectly fine for everyday people who use technology as an everyday thing.
@yyp PS. I’m boosting some of my replies because this is a point that’s come up several times now so I want other folks to read and understand what we’re building and why :)
JS isn’t the enemy. Someone else (Big Tech/people farmers) holding your data and keys is the enemy.
@aral do you know if signing of JS (or other assets) is a thing already? I mean I know about Subresource Integrity, but that's just a hash. I mean a way to SIGN a file, so that a browser(-extension) could verify (perhaps from DNS TXT) that this is the very file a developer intended, regardless where it's hosted and if SRI is in place?
@claudius Been looking into it quite a bit. Nothing to sign the initial download. So we’ll have to have a browser extension + dev/build workflow conventions.
Yeah, so it's complicated, right? Just downloading and running apps randomly isn't good for your privacy or security–turning off (or not supporting) JS makes sense as a general rule for how to make devices more secure/private. However, JS is great for making apps less reliant on the server and more useful offline or with static hosting. How else can you make an app that runs on everything and doesn't require expensive hosting?
A mastodon instance created by Derek Taylor, creator of the DistroTube channels on YouTube and LBRY. Derek is an advocate for free and open source software.