I was encountered problem in pod configuration files. Feature “jquery_cdn” (take jquery script from jquery.com) is enabled by default. This can compromise security and makes diaspora centralized, because JQuery.com can replace the script. I’m podmin and i was never thunk that this feature was enabled at my pod, because i kept this option commented (screened by #) in configuration, and i was sure but… I was should to uncomment option in configuration and explicit disable it (erase ‘true’ and type ‘false’)
I suggest to disable jquery_cdn in defaults.yml. Podmis may uncomment this option in diaspora.yml and enable JQuery CDN if necessary.
Note: This discussion was imported from Loomio. Click here to view the original discussion.
It’s price which we should pay for decentralization. Diaspora have many problems associated with decentralization - for example we have no search through all pods. By using JQuery.com or any other corporate CDN provider we make network centralized. Owners of jquery.com may replace the script and disable most of pods or stole a data passed via jquery.
Anyway discussion only about default settings. Podmin can easy enable CDN by removing single sharp-character (#) from configuration file.
I thought CDN for jQuery was disabled by default. Certainly that’s what the yml config file implies.
Can someone with core code knowledge confirm whether or not the code does use jQuery.com’s CDN as default?
I don’t think it matters too much whether the CDN is enabled or disabled by default - it brings performance improvements, and any particularly privacy-conscious podmin can easily disable it - but the important thing is that the text in the config file must clearly explain what is the default case - enabled or disabled. That’s what needs to be fixed if it’s not clear at the moment.
If we write in decription somthing like this: “Don’t include jQuery from jquery.com’s CDN. jQuery is included from jquery.com’s CDN by default. This feature potentially saves you some traffic and speeds up load time since most clients already have this one cached. You can disable it by uncomment following line, if you want to host jQuery at your pod. #jquery_cdn: false”
This description still unclear because description should describe what the setting does, not what the provided example would do if enabled.
Proposal: Change jquery_cdn in defaults.yml to false
Currently jquery_cdn is by default true - which means diaspora* will fetch the jQuery javascript from the official jQuery servers. If this setting is false, diaspora* will itself serve jQuery.
Pros to having this default to true (like it is now):
Save some bandwith for pod maintainer
Faster page loading since most users will already have jQuery cached from the CDN (=half of the internet uses it)
Cons to having this default to true (like it is now):
Each page load makes a request also to the jQuery servers - potential privacy issue if someone is worried about that
Problems with jQuery servers would create problems for diaspora* pods (as unlikely as that is, it is possible)
So, this proposal gives the following options:
YES - change jquery_cdn to FALSE - ie diaspora server will server jquery directly to user
NO/BLOCK - keep jquery_cdn as TRUE - ie user browser fill fetch jquery from jquery servers
NOTE! Podmins can always change this setting, whatever the default is.
Outcome: N/A
Votes:
Yes: 15
Abstain: 3
No: 0
Block: 0
Note: This proposal was imported from Loomio. Vote details, some comments and metadata were not imported. Click here to view the proposal with all details on Loomio.
While I personally think using the jQuery CDN is a good thing to do (and will continue to do on my pod) - I also think it would probably be better to default to false here, so that podmins who want to use it will need to actually enable it.
I think our opinion is quite clear on this. Do we also agree this change should be pushed out in the next major release, not the next minor release? IMHO this should be in a major release since it changes old configuration defaults.
I don’t think there’s any hurry to push out this change, since any podmin can easily switch off CDN. I’d suggest clarifying the explanation in the config file in the very next release, so that no one can be confused about what is the default setting, and then changing the actual default setting in the next major release, as you suggest.
@rich1 I think Goob wrote out a good plan - reword the current setting in the next release, then change the setting in the next major release. Someone needs to do a pull, for example like 5065.
I could do a PR, but first I need a definitive answer from someone in the know about what the actual default position (if the line in the defaults file remains commented out) is.