Pinafore - Alternative web client for Mastodon
-
Excellent, thanks @timconsidine!
Perhaps @staff could take a look to dot the i's and cross the t's and see if we can get it into the app store
-
@timconsidine awesome! One thing is you don't need to have a copy of the pinafore source in the packaging repo. Instead, just adjust the Dockerfile to curl the tarball from github . For example, like https://git.cloudron.io/cloudron/peertube-app/-/blob/master/Dockerfile#L17
-
@girish thanks again for the tip.
I have changed my repo to that approach.
https://git.cloudron.io/timconsidine/pinafore-for-cloudron.git
If you have a moment, do let me know if it now follows best practice.
Builds and deploys ok (for me). -
@timconsidine nice!
It looks like this is just a static app. Do you know if the upstream already provides a built "bundle" ? If so, I wonder if it's worth publishing this as an app or should we try to ask people to just download the bundle and upload it to surfer ?
Thoughts?
-
@robi said in Pinafore - Alternative web client for Mastodon:
@girish that won't help with updates and app store availability.
yes, that's true.
Also, it seems there is no way to lock down this app - https://github.com/nolanlawson/pinafore/issues/35 . This essentially makes it available for public use. We should probably wait till that is fixed.
-
@girish it seems that won't happen without a PR to get this going.
There are many ways to "lock it down" if necessary..
We can always set up basic/realm auth via the webserver it runs on, or use a small ldap front end to gate access.
Not sure this is a big concern though as most apps we have run on subdomains (CNAMEs) and those don't get a lot of traffic from bots/scanners etc.
Besides, you still have to log into the social network, the client is just the app UI. Hence minimal risk.
-
@robi said in Pinafore - Alternative web client for Mastodon:
Besides, you still have to log into the social network, the client is just the app UI. Hence minimal risk.
yeah, you actially login to a masto instance, can't do anything on pinafore without doing that, so nothing really to lock down
-
@girish said in Pinafore - Alternative web client for Mastodon:
it seems there is no way to lock down this app
I was bit concerned too at first.
But as you have to log into a Mastodon instance, I concluded that there is not much security risk about someone else reading my feed.
As it's federated content, I think the only real issue is the privacy aspect of who I am following (maybe who is following me). And we're relying on Mastodon security to manage these aspects.There is however a risk of a personal Pinafore instance being used by anyone for their feed, effectively increasing the traffic and resources needed by the instance. Is this a concern? I'm not sure.
Security by obscurity (nobody finding the instance) is usually a poor approach. But often it's sufficient
Is it enough to add some basic HTTP auth to the instance as improvement on relying on obscurity ?
-
@timconsidine seems like my custom package is copying unnecessary files into the deployment. Just FYI to anyone bothered. I will look at fixing this.
-
@Staff It'd be great to the package @timconsidine put together polished up and in the app store
-
Haven't looked at in a while and I'm sure there are improvements to be made.
Was done a long time a go.
But would be a good addition to the official App Store .... IMHO