It's kinda like a private SaaS platform. I just run it for me and a couple of friends right now and just hosting a ton of little fun side projects on it.
e.g. https://tim-efa.valar.app which brings Munich's public transport schedule to your terminal (try it with curl, looks way better)
It supports all kinds of things like bring-your-own-domain, e.g. I run my portfolio page https://espe.tech on top of it. It is partly open-source (actually only the CLI for now) but I plan to fully open-source it in the future after cleaning up the code a bit and improving testing and stuff :)
As far as I understood it: the premise of added security is based on the fact that the other WebRTC peers only see Cloudflare's IP instead of your own. Also nobody knows who you are exactly talking to except Cloudflare. I would still expect that the media channels itself still remain encrypted when even when multiplexed by Cloudflare's network.
edit, yes it's encrypted:
> Finally, all video and audio traffic that passes through Cloudflare Calls is encrypted by default. Calls leverages existing Cloudflare products including Argo to route the video and audio content in a secure and efficient manner.
It doesn't say that Cloudflare can't or doesn't access the encrypted data. It seems to be written in a way that everyone would assume they can't but AFAICT it doesn't explicitly say it. Which makes me think they phrased it like this for a reason but I definitely could be wrong.
Cloudflare provides an immense value for small sites. Doing DDoS protection with specialized firewall hardware was one of the most expensive things you could do, so it wasn't really affordable for lots of people. They win by solving a problem. I believe that the issue of Cloudflare as a man-in-the-middle is a smaller issue for people running websites than the damage done by potential attacks.
The argument about Cloudflare being the man-in-the-middle has always confused me. Yeah, it makes sense if you're big enough to run your own data centers, but for most smaller sites you're trusting someone to host it, so how is Cloudflare any different than some other random provider?
I'd still like to know what happened with that domain that got put into pendingDelete with a false positive a couple weeks ago, but, besides that, I'm very bullish on Cloudflare. I think there's a massive amount of opportunity to capture underserved markets in tech right now due to subscription fatigue and increasing prices. More reasonable pricing could do well in the low end of some markets and having a platform like Cloudflare that can scale to $0 makes it much more practical to start thinking about building for some of those markets.
Cloudflare solves a real problem that's impossible for anyone small to solve for themselves and getting to ignore all of that complexity makes it practical for people to build things they couldn't even consider before. Cloudflare is adding value way beyond any risk they're creating by acting as a proxy.
> Easy - you’re trusting someone, true, but it’s likely not the same person that someone else is trusting.
I dunno if that's true. I mean I can name 5 companies and generally speaking narrow it down to the owner of the hardware (or the owner of the owner of the hardware) or at the very least a company with enough resources that if they want your content they can take it.
So the real problem seems to be that they are a monopoly? But how is that their fault? they invented the low-cost CDN market, before them we mostly just had Akamai that hosted Wimbledon-size websites and streams for $$$$.
PS. also unclear where else I can get similar services - no affiliation with them, just to run a small website.
> the issue of Cloudflare as a man-in-the-middle is a smaller issue
for people running websites than the damage done by potential
attacks.
There is no damage done by potential attacks. Damage is done by actual
attacks. I am not simply being pedantic. The damage done by blocking
users and the leaking of data via TLS proxying seems very real. One
cannot make comparisons between actuality and potentiality.
How is this any different than AWS/Azure/GCP (e.g. cloud functions) MITMing your users' connections? If it's not your hardware, it's not your encryption keys.
No real difference AFAICS, it's a general problem of poor
cybersecurity education and quick/cheap solutions. I certainly don't
mean to single out Cloudflare alone on that point.
While their hardware helps in terms of their costs and scale the real challenge is the bandwidth.
Blocking traffic at your edge means that by the time you're able to evaluate traffic and take action it has already consumed your bandwidth. Cloudflare is able to protect aspects of their internal network and customer properties with their filtering but they need a tremendous amount of bandwidth and anycast in order to do it in the first place.
Great to see new features being implemented. I'm using DuckDB for a thesis project and integrating it into my own Python CLI/web tool has been super easy -- I especially love the direct integration with DataFrames, it makes things really seamless.
> Litestream has a new home at Fly.io, but it is and always will be an open-source project. My plan for the next several years is to keep making it more useful, no matter where your application runs, and see just how far we can take the SQLite model of how databases can work.
As far as I understood it, Fly.io hired the person working on Litestream and pays them to keep working on Litestream.
> All the code that has already been written/published already has the FOSS license (in this case APLv2). No take-backsies.
You do realize that this fact does not entitle you to the copyright of the work, right? It entitles you to use it, modify, redistribute, etc, with continued attribution of the copyright holders.
As such, copyright re-assignment is possible for any code that Ben wrote. And, any contributions are probably a grey area of sorts since there was probably no agreement of copyright assignment when contributing as there is in some projects. Any who.
So if I take code that was released with a license like the APLv2, at any point the person that wrote that code can change the license and then sue me for using the code without permission? That doesn't sound right.
It is my understanding that the contract with you is APLv2, and he can't one-sidedly change that.
However, nothing is guarantied about the future license of the project. The rights holder could only release future versions under a proprietary license. Meaning buying rights assignment is buying the future of the project. Of course everyone forks and leaves if you get to draconian up front, so you have to slow boil that frog.
Not really though right? Copyright assignment applies to the existing code, which is again already licensed as APLv2. Future versions of software could be licensed differently because there would be new contributions. However now that Ben is working for fly.io, the primary way to do this would be to say fly.io is the rightsholder for contributions Ben makes to Litestream while working for the company.
This does not require selling the copyright of existing code, nor does it seem to me like that sale would be beneficial for achieving the above.
>Copyright assignment applies to the existing code, which is again already licensed as APLv2.
? If you have a copy of the code in your hands, then the license that applies to your use of it is APLv2.
The owner of the rights can take the official public project repo private, and either never publish it again or change the license on the official repo to whatever they like.
It doesn't matter if the code used to be APLv2 if you didn't get a copy of it. If you don't have and want the code, and it is now available with N license, you either accept N license, find some unofficial copy of the APLv2 version, or you don't get access to the code.
1. I didn't say anything about changing the LICENSE, but it certainly would be possible to change the LICENSE. Typically, you need to get all the copyright holders to agree to it (e.g. all previous contributors), OR, move to a license that ensures all of the previous rights as well (e.g. a compatible license). Additionally, there's a moment when the LICENSE changes. Previous releases would be under the previous license and available indefinitely under those terms (assuming you have the source code at that version).
2. The LICENSE itself has provisions around use of the code. If you fail to adhere to the agreement, then, yes, you could be sued by the copyright holder. Effectively, for APLv2, here is a summary: https://tldrlegal.com/license/apache-license-2.0-%28apache-2...
3. What I did say is changing the _copyright holder_, e.g., the owner. This is the grantor of the LICENSE, who is providing the software / source code (typically gratis, but it doesn't have to be) provided you adhere by the rules stated in the LICENSE. APLv2.0 definitely doesn't give you the right to pretend you wrote the entire thing. In fact, if you redistribute the source code with modifications, the APLv2.0 requires that you include a statement of your significant changes.
I know that's not what it means, which is why I was confused when you initially responded with the comment that you did. I guess partly I was confused by the condescending phrasing you used when nothing I said was incorrect. Any who.
My point was only – why would fly.io pay an appreciable sum to transfer the copyright of code already written when a FOSS license has already been applied to that code? Clearly that was a connection I was making in my head that I failed to write down in my comment.
I guess, fundamentally, the question comes down to: “will we expect lightstream to be developed under the name Ben Johnson, or Fly.io.” This _might_ have implications for what the project becomes.
My intention was not to be condescending, fwiw, so I am sorry for my failure there.
I guess in the long term the product will at least pay for itself, in the short term it will just be a marketing campaign and gives people a good reason to switch from their Amazon stack in case they don't depend on things like EC2-S3 transfers. When comparing to Backblaze B2 [1], Cloudflare's storage cost is 3x but you don't pay for egress as a tradeoff (compared to 0.01$/GB for Backblaze).
I discovered this book today and have been reading it all afternoon. The interviews with Brad Fitzpatrick and Peter Norvig are very entertaining (and informative)!
Isn't this solved by a large scale find-and-replace for existing scripts? Sure, the changes can be inconvenient but it's not like a major API change or something. They've also been printing out warning messages since December 29th according to the issue, so I'd expect that people would have updated their pipelines by now.
TLDR: Your Let's Encrypt certificate may have an RSA private key. Go's TLS implementation is far better optimized for ECDSA keys. Switching from RSA to ECDSA saves about 95% of CPU cycles due to the better implementation.
It's kinda like a private SaaS platform. I just run it for me and a couple of friends right now and just hosting a ton of little fun side projects on it.
e.g. https://tim-efa.valar.app which brings Munich's public transport schedule to your terminal (try it with curl, looks way better)
It supports all kinds of things like bring-your-own-domain, e.g. I run my portfolio page https://espe.tech on top of it. It is partly open-source (actually only the CLI for now) but I plan to fully open-source it in the future after cleaning up the code a bit and improving testing and stuff :)