Appreciated Daniel reaching out to the team about this! Hosting blobs is one of those things that will inevitably go through iterations as we understand the abuse vectors more and more, but for now it's really fun to see this kind of usage in action. The PDS is meant to be a database host in the same sense that a webserver is a website host.
Doesn't the potential for abuse reduce when content is linked through user's own domain rather than a particular appview like bsky? Bsky already supports a user's domain ALIASed to redirect.bsky.com: https://bsky.app/profile/jacob.gold/post/3kh6rnpdzmp2v
"access-control-allow-origin: *" is interesting - it means you can access content hosted in this way using fetch() from JavaScript on any web page on any other domain.
"content-security-policy: default-src 'none'; sandbox" is very restrictive (which is good) - content hosted here won't be able to load additional scripts or images, and the sandbox tag means it can't run JavaScript either: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...
Blocking/allowlisting all JavaScript is the only way [1] to have a CSP fully contain an app (no exfiltration) [2] and with prefetch that might not be enough. The author is correct at the end to suggest using WebAssembly. (Also, it still has the issue of clicking links, which can be limited to certain domains or even data: by wrapping the untrusted code in an iframe and using child-src on the parent of the iframe)
I'm very hopeful for the possibility of using bluesky for blob data.
A friend and I had considered looking into storing DOOM WADs on bluesky so that "map packs" could be shared in the same way posts are. Follow an account, a list, or a starter pack, and you could theoretically modify GZDoom or some other client to know how to search and view any WADs posted by those accounts. Like how the Steam Workshop works, except it's via bluesky. :D
This is a cool idea, are you thinking of self-hosting this or on their servers? Have they mentioned anything about any guidelines for what their blob storage can be used for? I know doom is small and that's a great idea, a workshop is a perfect example of how this can be used. I'm just wondering if this can be abused to outsource large server space.
I wasn't around for this specific era, but the way users of BlueSky are able to dive deep into technological waters reminds me of how people talk about learning HTML for the first time while using MySpace. Social media is a more saturated market now than before, but I wonder if we'll see a new generation of programmers sprout from BlueSky.
One of the points that is made is that since the PDS that's being interacted with here is part of a 'Personal Data Server' rather than the Bluesky product, it ends up able to offer infinite free data storage.
This seems like one of the things that might be part of the references the bluesky team has made at time to introducing a subscription service - providing more space / bandwidth / higher quality video on your PDS seems like the type of hosting that could be offered at a premium tier.
> 'Personal Data Server' rather than the Bluesky product
If I understood correctly, the PDS was hosted on Bluesky. I assume it could be hosted somewhere else, so yeah it could be interacted with more than Bluesky.
There should really be a name for this phenomenon; put basically anything on the internet, and sooner or later people will try to host arbitrary files on it.
>and sooner or later people will try to host arbitrary files on it.
I'm pretty sure that's a key reason that google accounts are limited to 15gb now until you pay for more storage. When it was unlimited there were all these opensource projects coming up with ideas to backup your filesystem to gmail and such which got even worse when Drive came about. These free services need to foresee that that will be an issue and put in some basic limits.
I have a lot of hope for AT. I'm sure there's lots of smart people on HN that have done great things with the Fediverse, but this whole paradigm just seems more sustainable + realistic. Basically it gives us centralization by default, but with real decentralized support when you need it / for power users.
As far as sustainability goes I'm hoping for a better business model than "accept funds from Blockchain Capital" [0], some return on investment in mirroring the firehouse. I can muse, a Discord alternative where some users pay to host longer videos (current limit is 60sec [1]) or Patreon where a relay takes a cut in exchange for managing access/decryption keys, or Bandcamp or some other kind of social marketplace - as it is theres no reason I couldn't do this, it is an open platform after all.
is there any hosting site that isn't? feels like a computing law at this point; if you build a hosting site, someone will try to use it for malicious purposes.
The recent API changes in Strava reminded me of how limited our access is to the data stored on their platform. As a dominant player in the fitness space, they could gradually lock features behind a subscription wall.
While this might raise privacy or safety concerns, could the AT Protocol be a suitable platform for storing GPX or FIT files?
I’d love a federated Strava replacement. Unfortunately I don’t believe that the AT Protocol supports private or limited visibility posts yet, which I think is a pretty key feature for Strava’s use case.
The CSP headers didn't used to be there, which I used to pop an alert(), way back. (at the time there was also a MIME whitelist, but that whitelist included image/svg+xml, which allows script execution)
What I remember about that whole affair is that I'd really respected Jack for starting Bluesky, allowing it to be independent of Twitter (and Jay deserves a heaping of credit for pushing that!), and then losing that respect when he seemed to totally misunderstand what Bluesky had gone on to achieve.
Jack was pushing Nostr at the time which... seems ok if you're into that. But his arguments in his interview with Mike Solana really didn't make sense to me.
Ah this is super cool! I’ve been thinking about doing this with my website, but was going to leverage the whtwind lexicon, since my site is mostly a blog. But for the front page, and anything else, I may have wanted something else.
This is more of an unstructured approach, which is cool because it needs less specialized tooling. It has the disadvantage of being… well, just a blob. No semantic information there.
I think the AT protocol is versatile in that users can acces each others data once authenticated without any centralized service (granted the aggregators and some other things may still be centralized).
Is there any auth necessary to pull data from a PDS? I know the main relay is a public firehouse so I would be surprised, but maybe the PDS can put relay servers on an allowlist?
So the recent push to artists to move there to protect their rights against AI training is not only false but a trap since anyone can point their cannons to train data on Bluesky.
I'm wondering whether a third-party PDS implementation should support other protocols as well. Would a combined git/PDS repo make any sense at all? (That is, it's a PDS, but it also implements enough of git to do read-only access via git commands.)
[+] [-] pfraze|1 year ago|reply
[+] [-] sebmellen|1 year ago|reply
[+] [-] nileshtrivedi|1 year ago|reply
[+] [-] moritonal|1 year ago|reply
[+] [-] philipwhiuk|1 year ago|reply
[+] [-] starkruzr|1 year ago|reply
[deleted]
[+] [-] simonw|1 year ago|reply
"access-control-allow-origin: *" is interesting - it means you can access content hosted in this way using fetch() from JavaScript on any web page on any other domain.
"content-security-policy: default-src 'none'; sandbox" is very restrictive (which is good) - content hosted here won't be able to load additional scripts or images, and the sandbox tag means it can't run JavaScript either: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...
[+] [-] benatkin|1 year ago|reply
1: https://github.com/w3c/webappsec/issues/656#issuecomment-246...
2: https://www.w3.org/TR/CSP3/#exfiltration
[+] [-] nightpool|1 year ago|reply
[+] [-] SAHChandler|1 year ago|reply
A friend and I had considered looking into storing DOOM WADs on bluesky so that "map packs" could be shared in the same way posts are. Follow an account, a list, or a starter pack, and you could theoretically modify GZDoom or some other client to know how to search and view any WADs posted by those accounts. Like how the Steam Workshop works, except it's via bluesky. :D
[+] [-] Rick76|1 year ago|reply
[+] [-] dev0p|1 year ago|reply
[+] [-] the-chitmonger|1 year ago|reply
[+] [-] willscott|1 year ago|reply
This seems like one of the things that might be part of the references the bluesky team has made at time to introducing a subscription service - providing more space / bandwidth / higher quality video on your PDS seems like the type of hosting that could be offered at a premium tier.
[+] [-] hk1337|1 year ago|reply
If I understood correctly, the PDS was hosted on Bluesky. I assume it could be hosted somewhere else, so yeah it could be interacted with more than Bluesky.
[+] [-] rsynnott|1 year ago|reply
[+] [-] Suppafly|1 year ago|reply
I'm pretty sure that's a key reason that google accounts are limited to 15gb now until you pay for more storage. When it was unlimited there were all these opensource projects coming up with ideas to backup your filesystem to gmail and such which got even worse when Drive came about. These free services need to foresee that that will be an issue and put in some basic limits.
[+] [-] superzamp|1 year ago|reply
[+] [-] miningape|1 year ago|reply
[+] [-] Jerrrry|1 year ago|reply
https://en.wikipedia.org/wiki/Inner-platform_effect
[+] [-] edavis|1 year ago|reply
[+] [-] bbor|1 year ago|reply
I have a lot of hope for AT. I'm sure there's lots of smart people on HN that have done great things with the Fediverse, but this whole paradigm just seems more sustainable + realistic. Basically it gives us centralization by default, but with real decentralized support when you need it / for power users.
[+] [-] jazzyjackson|1 year ago|reply
[0] https://www.blockchaincapital.com/blog/bluesky-13m-users-and...
[1] https://bsky.social/about/blog/09-11-2024-video
[+] [-] h4x0rr|1 year ago|reply
[+] [-] lazystar|1 year ago|reply
[+] [-] kuschku|1 year ago|reply
[+] [-] bigfatkitten|1 year ago|reply
[+] [-] remram|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] ineedaj0b|1 year ago|reply
[+] [-] hiop|1 year ago|reply
While this might raise privacy or safety concerns, could the AT Protocol be a suitable platform for storing GPX or FIT files?
[+] [-] d-lo|1 year ago|reply
[+] [-] hi_hi|1 year ago|reply
The example provided is quite basic static text, so I'm wondering if there's a reason for that?
[+] [-] Retr0id|1 year ago|reply
[+] [-] slowhadoken|1 year ago|reply
https://amp.theguardian.com/technology/article/2024/may/07/j...
[+] [-] crabmusket|1 year ago|reply
What I remember about that whole affair is that I'd really respected Jack for starting Bluesky, allowing it to be independent of Twitter (and Jay deserves a heaping of credit for pushing that!), and then losing that respect when he seemed to totally misunderstand what Bluesky had gone on to achieve.
https://www.techdirt.com/2024/05/13/bluesky-is-building-the-...
Jack was pushing Nostr at the time which... seems ok if you're into that. But his arguments in his interview with Mike Solana really didn't make sense to me.
[+] [-] rsynnott|1 year ago|reply
[+] [-] steveklabnik|1 year ago|reply
This is more of an unstructured approach, which is cool because it needs less specialized tooling. It has the disadvantage of being… well, just a blob. No semantic information there.
[+] [-] la64710|1 year ago|reply
[+] [-] jazzyjackson|1 year ago|reply
[+] [-] irusensei|1 year ago|reply
[+] [-] hk1337|1 year ago|reply
How exactly is the personal data server used? Examples and such?
The link gives a nice high level explanation but I still am not sure of its purpose.
[+] [-] skybrian|1 year ago|reply
What other protocols would make sense?
[+] [-] srg0|1 year ago|reply
[+] [-] code_for_monkey|1 year ago|reply
[+] [-] anacrolix|1 year ago|reply
[+] [-] erlend_sh|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]