[website] refactor kaitai.io a bit

[KOLANICH]

1 Remove bootstrap. I have tried to make the tabs work without JavaScript without too much sodomy (which will never be accepted because it makes code dirty) and failed. Current layout

<ul class="nav nav-pills" role="tablist">
                <li role="presentation" class="active"><a href="#download-linux-deb" role="tab" data-toggle="tab">Linux .deb</a></li>
                <li role="presentation"><a href="#download-windows" role="tab" data-toggle="tab">Windows</a></li>
                <li role="presentation"><a href="#download-universal" role="tab" data-toggle="tab">Universal .zip</a></li>
                <li role="presentation"><a href="#download-source" role="tab" data-toggle="tab">Source</a></li>
            </ul>
<div class="tab-content" style="margin-top: 20px; min-height: 300px">
                <div role="tabpanel" class="tab-pane active" id="download-linux-deb">
                    ...
                </div>
                ....
</div>

disallows that dirty hacks used for css tabs (a label in tab a tab header and a radio and checked pseudoclass and some selectors. The problem here is that css selectors disallow to select parents so we can't style both tabs headers and tabs bodies in this layout without too much sodomy such as making 2 radios per tab: one is for header, one is for body). Because this layout is dictated by bootstrap I guess we should eliminate bootstrap-based tabs and implement css tabs instead. 2 We should eliminate all third-party resources because they can be changed to malicious ones any time and because accesses to them leak info to third parties. In fact I think the true goal of spending money for providing these resources in CDN for free for every webdev is to collect leaked information from the whole internet of lemmings. I think we should make a local (gh-pages) copy of them and link it instead of cdnjs and google fonts. For binary resources we should use git lfs which was created to solve problems git has with binaries. 3 When I go to github's URI for kaitai.io it redirects me to main domain. But that domain lacks https because github is actually used and gh cert has gh dns in it. I don't think it is good to load executable code (javascript) via insecure channel.

[GreyCat]

1 Remove bootstrap.

While I don't really enjoy Bootstrap much, it works right now. If you'll provide any alternative solution (ideally, a unified one for {www,doc,formats}.kaitai.io and kaitai.io/ci) — I'd be more than happy.

2. We should eliminate all third-party resources

If we're using GH, we're already leaking info, at least to GH and Fastly. Our DNS zone is moved to CloudFlare, so we're leaking to CloudFlare as well, at least the DNS queries. Given that we also use Google Analytics, we're leaking info to Google too. CDNJS is essentially a CloudFlare-provided hosting. So, actually, removing Google Fonts and/or CDNJS won't reduce leaking in any way.

I can agree that having non-local resources might be a minor nuisance (i.e. when developing locally on a host without Internet access).

For binary resources we should use git lfs which was created to solve problems git has with binaries.

What's "binary resources", and why would git lfs exactly solve here?

3 When I go to github's URI for kaitai.io it redirects me to main domain. But that domain lacks https

Technically, I can enable https via Cloudflare on kaitai.io as well. Not that it's something good.

[KOLANICH]

16 марта 2017 г. 2:26:38 GMT+03:00, Mikhail Yakshin notifications@github.com пишет:

1 Remove bootstrap.

While I don't really enjoy Bootstrap much, it works right now. If you'll provide any alternative solution (ideally, a unified one for {www,doc,formats}.kaitai.io and kaitai.io/ci) — I'd be more than happy.

2. We should eliminate all third-party resources

If we're using GH, we're already leaking info, at least to GH and Fastly. Our DNS zone is moved to CloudFlare, so we're leaking to CloudFlare as well, at least the DNS queries. Given that we also use Google Analytics, we're leaking info to Google too. CDNJS is essentially a CloudFlare-provided hosting. So, actually, removing Google Fonts and/or CDNJS won't reduce leaking in any way.

I can agree that having non-local resources might be a minor nuisance (i.e. when developing locally on a host without Internet access).

For binary resources we should use git lfs which was created to solve problems git has with binaries.

What's "binary resources", and why would git lfs exactly solve here?

3 When I go to github's URI for kaitai.io it redirects me to main domain. But that domain lacks https

Technically, I can enable https via Cloudflare on kaitai.io as well. Not that it's something good.

If we're using GH, we're already leaking info, at least to GH and Fastly.

For now we cannot not to leak the info to the hosting provider we use.

Our DNS zone is moved to CloudFlare, so we're leaking to CloudFlare as well, at least the DNS queries. Technically, I can enable https via Cloudflare on kaitai.io as well. Not that it's something good.

The good thing is that it reduces the potential attackers count. But I'm not happy with cloudflare, why don't you just use a subdomain of github.io? It has https, it doesn't use cloudflare. The domain name would look not that nice, but it is memorable enough.

Given that we also use Google Analytics, we're leaking info to Google too.

I really don't see any good reason to use it. The project is developer-oriented, developers are expected to give some explicit feedback, if they feel that something can be done better. BTW, GA can be blocked without any harm to the user using the tools like NoScript, μBlock, μMatrix, PrivacyBadger, etc.

[GreyCat]

The good thing is that it reduces the potential attackers count.

Not really, that's mostly an illusion for people who believe that "https == secure".

why don't you just use a subdomain of github.io?

Because you can't use both due to how GH pages work, and having our own domain heavily outweighs potential benefits of "free https in github.io". For example, for starters, I certainly don't like to be tied to GH in the first place. If and when things will start to go south, having our own domain will allow to migrate from GH in relatively decent manner.

I really don't see any good reason to use it.

Unfortunately, in current state of affairs, there's basically no way to avoid using GA if you want to have a general overview of what's going on with your project public relations. For example, if you want to see Google search engine queries that lead to your site, GA is the only analytics engine that will show it (obviously). Seeing impact of particular actions (i.e. releases, documentation, articles, news entries, event participation) in general is pretty important as well. Its just natural that every project wants to reach as much people out there as possible, but what's the most effective way to do so?

The project is developer-oriented, developers are expected to give some explicit feedback, if they feel that something can be done better.

No, they don't. Developers are just normal human beings, and there are tons of barriers: language, hesitation, "looks cool but I have no time right now", etc, etc. Not everyone has even a fraction of your energy level ;)

[KOLANICH]

16 марта 2017 г. 12:22:36 GMT+03:00, Mikhail Yakshin notifications@github.com пишет:

The good thing is that it reduces the potential attackers count.

Not really, that's mostly an illusion for people who believe that "https == secure".

why don't you just use a subdomain of github.io?

Because you can't use both due to how GH pages work, and having our own domain heavily outweighs potential benefits of "free https in github.io". For example, for starters, I certainly don't like to be tied to GH in the first place. If and when things will start to go south, having our own domain will allow to migrate from GH in relatively decent manner.

I really don't see any good reason to use it.

Unfortunately, in current state of affairs, there's basically no way to avoid using GA if you want to have a general overview of what's going on with your project public relations. For example, if you want to see Google search engine queries that lead to your site, GA is the only analytics engine that will show it (obviously). Seeing impact of particular actions (i.e. releases, documentation, articles, news entries, event participation) in general is pretty important as well. Its just natural that every project wants to reach as much people out there as possible, but what's the most effective way to do so?

The project is developer-oriented, developers are expected to give some explicit feedback, if they feel that something can be done better.

No, they don't. Developers are just normal human beings, and there are tons of barriers: language, hesitation, "looks cool but I have no time right now", etc, etc. Not everyone has even a fraction of your energy level ;)

Not really, that's mostly an illusion for people who believe that "https == secure".

https!=secure, but https == not tampered with parties who are not either trusted (s.a. CAs, CDNs , the website, third-party content, though I don't really trust them) or ones who haven't broken https. I surely don't want to get an exploit or any other malicious content like tracking script because someone have tampered with traffic.

I certainly don't like to be tied to GH in the first place

You are already tied - you use it as a storage for the code. But since you have the code on your pc you can put it to another git hosting. In any case it would require to inform the devs to migrate.

Its just natural that every project wants to reach as much people out there as possible, but what's the most effective way to do so?

Maybe you should conditionally load trackers depending on navigator.doNotTrack. You can also put a custom analitics collection php or python script on a free web hosting (js part should be stored locally), but there is a problem - your free web hosting account can be ddosed, so you will have to use anti-ddos.

[GreyCat]

https == not tampered with parties who are not either trusted (s.a. CAs, CDNs , the website, third-party content, though I don't really trust them) or ones who haven't broken https.

Not really, that's mostly an illusion. CF <-> GH traffic goes totally unencrypted both ways: anyone in between can in theory inject something into it. Then again, CF itself is one of the world's largest user trackers and loggers. And they're known to introduce new "useful features" from time to time, which are enabled by default, injecting some JavaScript in your traffic, and collecting more data about your users.

You are already tied - you use it as a storage for the code.

No, we aren't. There are tons of other git hostings, and one can roll one's own.

In any case it would require to inform the devs to migrate.

And having our own domain helps a lot in such situation.

Maybe you should conditionally load trackers depending on navigator.doNotTrack

I sincerily doubt that those who really don't want to be tracked load and execute every script they get and rely on that some "good willing party" will respect DNT. Any sane person would at least use a content / script blocker.

You can also put a custom analitics collection php or python script on a free web hosting

Even if a good enough solution ever existed, Google has done everything possible that you can't avoid using GA — for example, you can get Google search queries exclusively in GA, because it's owned by Google.

there is a problem - your free web hosting account can be ddosed

In my practice, that's not a problem. The problems are that (1) someone has to maintain that VPS, and (2) they are very unreliable — a single bad neighbor and your site can be down for days.

I have only several hours a day I can play with this project, and I would really prefer to do what's fun (i.e. development), not spend these hours doing boring infrastructure / organizational stuff.