Pinafore - Alternative web client for Mastodon

girish

@timconsidine nice!

It looks like this is just a static app. Do you know if the upstream already provides a built "bundle" ? If so, I wonder if it's worth publishing this as an app or should we try to ask people to just download the bundle and upload it to surfer ?

Thoughts?

timconsidine

@girish the simplest approach is best, so maybe put it in surfer.
I didn't think of that.
And I didn't look too carefully.
Just liked the look of it.
Will look more deeply.

robi

@girish that won't help with updates and app store availability.

Do you plan to keep a running list of apps one can install manually into surfer/lamp/wp etc?

girish

@robi said in Pinafore - Alternative web client for Mastodon:

@girish that won't help with updates and app store availability.

yes, that's true.

Also, it seems there is no way to lock down this app - https://github.com/nolanlawson/pinafore/issues/35 . This essentially makes it available for public use. We should probably wait till that is fixed.

robi

@girish it seems that won't happen without a PR to get this going.

There are many ways to "lock it down" if necessary..

We can always set up basic/realm auth via the webserver it runs on, or use a small ldap front end to gate access.

Not sure this is a big concern though as most apps we have run on subdomains (CNAMEs) and those don't get a lot of traffic from bots/scanners etc.

Besides, you still have to log into the social network, the client is just the app UI. Hence minimal risk.

jdaviescoates

@robi said in Pinafore - Alternative web client for Mastodon:

Besides, you still have to log into the social network, the client is just the app UI. Hence minimal risk.

yeah, you actially login to a masto instance, can't do anything on pinafore without doing that, so nothing really to lock down

timconsidine

@girish said in Pinafore - Alternative web client for Mastodon:

it seems there is no way to lock down this app

I was bit concerned too at first.
But as you have to log into a Mastodon instance, I concluded that there is not much security risk about someone else reading my feed.
As it's federated content, I think the only real issue is the privacy aspect of who I am following (maybe who is following me). And we're relying on Mastodon security to manage these aspects.

There is however a risk of a personal Pinafore instance being used by anyone for their feed, effectively increasing the traffic and resources needed by the instance. Is this a concern? I'm not sure.

Security by obscurity (nobody finding the instance) is usually a poor approach. But often it's sufficient

Is it enough to add some basic HTTP auth to the instance as improvement on relying on obscurity ?

timconsidine

@timconsidine seems like my custom package is copying unnecessary files into the deployment. Just FYI to anyone bothered. I will look at fixing this.

jdaviescoates

@Staff It'd be great to the package @timconsidine put together polished up and in the app store

timconsidine

Haven't looked at in a while and I'm sure there are improvements to be made.
Was done a long time a go.
But would be a good addition to the official App Store .... IMHO