Appreciated Daniel reaching out to the team about this! Hosting blobs is one of those things that will inevitably go through iterations as we understand the abuse vectors more and more, but for now it's really fun to see this kind of usage in action. The PDS is meant to be a database host in the same sense that a webserver is a website host.
I was curious as to the security context this runs in:<p><pre><code> curl -i 'https://porcini.us-east.host.bsky.network/xrpc/com.atproto.sync.getBlob?did=did:plc:j22nebhg6aek3kt2mex5ng7e&cid=bafkreic5fmelmhqoqxfjz2siw5ey43ixwlzg5gvv2pkkz7o25ikepv4zeq'
</code></pre>
Here are the headers I got back:<p><pre><code> x-powered-by: Express
access-control-allow-origin: *
cache-control: private
vary: Authorization, Accept-Encoding
ratelimit-limit: 3000
ratelimit-remaining: 2998
ratelimit-reset: 1732482126
ratelimit-policy: 3000;w=300
content-length: 268
x-content-type-options: nosniff
content-security-policy: default-src 'none'; sandbox
content-type: text/html; charset=utf-8
date: Sun, 24 Nov 2024 20:57:24 GMT
strict-transport-security: max-age=63072000
</code></pre>
Presumably that ratelimit is against your IP?<p>"access-control-allow-origin: *" is interesting - it means you can access content hosted in this way using fetch() from JavaScript on any web page on any other domain.<p>"content-security-policy: default-src 'none'; sandbox" is very restrictive (which is good) - content hosted here won't be able to load additional scripts or images, and the sandbox tag means it can't run JavaScript either: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...</a>
I'm very hopeful for the possibility of using bluesky for blob data.<p>A friend and I had considered looking into storing DOOM WADs on bluesky so that "map packs" could be shared in the same way posts are. Follow an account, a list, or a starter pack, and you could theoretically modify GZDoom or some other client to know how to search and view any WADs posted by those accounts. Like how the Steam Workshop works, except it's via bluesky. :D
I wasn't around for this specific era, but the way users of BlueSky are able to dive deep into technological waters reminds me of how people talk about learning HTML for the first time while using MySpace. Social media is a more saturated market now than before, but I wonder if we'll see a new generation of programmers sprout from BlueSky.
One of the points that is made is that since the PDS that's being interacted with here is part of a 'Personal Data Server' rather than the Bluesky product, it ends up able to offer infinite free data storage.<p>This seems like one of the things that might be part of the references the bluesky team has made at time to introducing a subscription service - providing more space / bandwidth / higher quality video on your PDS seems like the type of hosting that could be offered at a premium tier.
There should really be a name for this phenomenon; put basically anything on the internet, and sooner or later people will try to host arbitrary files on it.
If this sort of thing interests you, check out atfile: <a href="https://github.com/electricduck/atfile">https://github.com/electricduck/atfile</a>
Pretty awesome! Convenience link to the fascinating github issue linked at the bottom, featuring Bluesky celebrity pfrazee: <a href="https://github.com/bluesky-social/atproto/issues/523">https://github.com/bluesky-social/atproto/issues/523</a><p>I have a lot of hope for AT. I'm sure there's lots of smart people on HN that have done great things with the Fediverse, but this whole paradigm just seems more sustainable + realistic. Basically it gives us centralization by default, but with <i>real</i> decentralized support when you need it / for power users.
The recent API changes in Strava reminded me of how limited our access is to the data stored on their platform. As a dominant player in the fitness space, they could gradually lock features behind a subscription wall.<p>While this might raise privacy or safety concerns, could the AT Protocol be a suitable platform for storing GPX or FIT files?
Could some awesome person possibly summarise any limitations or use cases where this might not work well?<p>The example provided is quite basic static text, so I'm wondering if there's a reason for that?
The CSP headers didn't used to be there, which I used to pop an alert(), way back. (at the time there was also a MIME whitelist, but that whitelist included image/svg+xml, which allows script execution)
Whenever I hear about Bluesky I think about Jack Dorsey quitting their board and asked people to stay on Twittet/X.<p><a href="https://amp.theguardian.com/technology/article/2024/may/07/jack-dorsey-quits-bluesky-board-urges-users-stay-elon-musk-x-twitter" rel="nofollow">https://amp.theguardian.com/technology/article/2024/may/07/j...</a>
Ah this is super cool! I’ve been thinking about doing this with my website, but was going to leverage the whtwind lexicon, since my site is mostly a blog. But for the front page, and anything else, I may have wanted something else.<p>This is more of an unstructured approach, which is cool because it needs less specialized tooling. It has the disadvantage of being… well, just a blob. No semantic information there.
I think the AT protocol is versatile in that users can acces each others data once authenticated without any centralized service (granted the aggregators and some other things may still be centralized).
<a href="https://atproto.com/guides/glossary" rel="nofollow">https://atproto.com/guides/glossary</a><p>How exactly is the personal data server used? Examples and such?<p>The link gives a nice high level explanation but I still am not sure of its purpose.
I'm wondering whether a third-party PDS implementation should support other protocols as well. Would a combined git/PDS repo make any sense at all? (That is, it's a PDS, but it also implements enough of git to do read-only access via git commands.)<p>What other protocols would make sense?
Right now it's the only page under site:bsky.network if you search for that. Hilarious and awesome! <a href="https://www.google.com/search?q=site%3Absky.network" rel="nofollow">https://www.google.com/search?q=site%3Absky.network</a> Daniel is a great hacker.
Just a (very unserious) reminder that you can host +7kb of data in a single tweet using data URIs + gzip.<p>Here's Pong (HTML + JS) and the Epic of Gilgamesh: <a href="https://x.com/rafalpast/status/1316836397903474688" rel="nofollow">https://x.com/rafalpast/status/1316836397903474688</a><p>(brought to you by the ad tracking pixel parameters ignoring the tweet length limit)<p>More links + the "Twitter CDN" editor™: <a href="https://sonnet.io/projects#:~:text=Laconic!%20(a%20Twitter%20CDN)" rel="nofollow">https://sonnet.io/projects#:~:text=Laconic!%20(a%20Twitter%2...</a>
<a href="https://bsky.app/profile/leocomerford.bsky.social/post/3l7v6x2w56v26" rel="nofollow">https://bsky.app/profile/leocomerford.bsky.social/post/3l7v6...</a> To help the hard of clicking, this time I have pasted it all for you:<p>Leo R. Comerford
@leocomerford.bsky.social<p>Why was it decided not to build on any existing content-addressable networking system (IPFS or whatever)?<p>November 1, 2024 at 12:39 PM<p>Leo R. Comerford @leocomerford.bsky.social
·
23d<p>(Not implying that this was the wrong decision, it’s a genuine question.)<p>dan @danabra.mov
·
23d<p>actually not sure i can answer this well. paging @bnewbold.net or maybe @why.bsky.team (who worked on IPFS btw)<p>dan @danabra.mov
·
23d<p>my guess is that we’d want data hosting to be under direct control of the user (same as web hosting) rather than peer-to-peer, want instant deletion/edits at the source, need ability to move to a different host or take content down, need grouping into collections. not sure how much IPFS could adapt<p>dan @danabra.mov
·
23d<p>we do use some pieces from IPFS through (aside from the actual peer to peer mechanism)
bryan newbold @bnewbold.net
·
4mo<p>you can basically ignore it, we don't use "IPFS" proper anywhere.<p>there are strong social connections, and we borrow some tech components like CIDs (flexible hash/digest syntax) and DAG-CBOR (more-deterministic subset of CBOR, good for signing+hashing)
<p>Bumblefudge @bumblefudge.com
·
1d<p>yeah this is all accurate. bluesky remixed a lot of IPFS components and patterns in interesting ways, but the monolithic global IPFS network (with chatty DHT distribution) wouldn't make sense here, BS made an infinitely more efficient/performant distribution of bytes tailored to its use case.
<p>Bumblefudge @bumblefudge.com
·
1d<p>FWIW the IPFS foundation is working on making IPFS more modular and easily remixed for future BlueSkies, but it's a big task decomposing the monolith and reorienting the documentation and ergonomics...<p>[a second reply to the first skeet:]<p>Uai @why.bsky.team
·
23d<p>As far as im concerned (and i led ipfs development for a number of years) we <i>are</i> using ipfs, just a specific streamlined implementation of it.
All your repo data can be imported into an ipfs node and addressed via cid
<p>Uai @why.bsky.team
·
23d<p>We dont use libp2p because for a consumer mobile app we didnt want to futz with nat traversal and connectivity and the like, but its definitely possible to build a p2p version of bluesky