
Show HN: Orange Forum – Web 1.0 style forum written in Go - deafcalculus
http://www.goodoldweb.com/
======
always_good
I built a forum from scratch once and it is a comical amount of work.

The initial CRUD weekend-ware is straight forward. LIMIT/OFFSET for
pagination. Throw in some Markdown support. Seems easy enough.

But the devil is in all the individual features that make a forum usable. Like
getting notified when someone @mentions or replies to you, marking threads
that you've posted in, tracking the high watermark per user per thread so you
can create a "go to first unread post", implementing a decent search, making
deep pagination fast, a PM system, trying to generalize it.

A serious amount of breadth between weekend #1 and production if your users
want the feature set of Xenforo. The main positive I can say is that my forum
is cheap to host.

~~~
hasenj
> Like getting notified when someone @mentions or replies to you

Really? _that_ is complicated?

Serious question, do you find it complicated because you're still a beginner,
or is there something I'm missing?

What language(s) did you use?

~~~
KajMagnus
Well this @mention is a bit more complicated than what one might think. For
example: If someone creates a post, without any @mention, then edits it, and
adds a @mention — then, do you detect this, when looking at the edits, and
send a @mention notification now? And what if s/he edits the post again, and
removes the @mention, then, do you remove the notification? Cancel the email
if it hasn't been sent yet? And if the email has been sent, and the user
clicks the link, and views the post — but the @mentioned user sees no @mention
because it was removed, then ... this is not good UX. Should you do something
about this? Explain that the @mention got removed? Or just leave the user
slightly confused?

Also, do you really want to send an email for a @mention immediately? What if
the user who writes the post, keeps editing it, after having saved it? Should
you wait for a minute or two, until s/he seems to be done editing it? And then
generate the @mention email? Or directly, even if then an early out-of-date
version of the post will be included in the email.

What if the @mentioned user is in do-not-disturb mode, then you need to
schedule the notification for later.

And what if the @mentioned user is already online and sees the post with the
@mention in, diriectly? Then maybe you needn't generate any notification at
all. But how do you determine what s/he is reading currently?

There's a lot to think about (more than what I mentioned above) that one might
not think about, ... before one starts implementing everything. — And this is
just for @mentions. ... Kind of goes on like this, with every small seemingly
simple feature you want to add.

~~~
Ntrails
It's a forum. Read the thread and don't have any such concept as a "mention".
If you get quoted, you'll see it as you go through the pages. If you're really
lazy just namesearch your handle (which may or may not change, may or may not
be unique, etc) but basically participate don't just cherrypick.

I hate most modern forum software with a passion.

~~~
always_good
Right, but you would just be one of the rare users that turns the system off.
Which is fine, but don't let it blind you to what the typical user wants.

"Just use the /search feature to find replies" isn't something I can say with
a straight face to the sort of users I have. I would just leak them to
competing forums that have good UX. It's no ideal for someone to be unaware
that a thoughtful reply was made to a post they invested in.

~~~
Ntrails
If they were so invested they'd be reading the thread for people who are
communicating about the topic. For people who are referring to comments or
quoting other posts or didn't specifically @mention to drag a person back to
look STRAIGHT AWAY lest they lose engagement.

@mentions on forums are good UX in the way that twitter @mentions are good UX
- they drive clicks and opens - not engagement. They don't push _good_
content, good conversations, good experiences. They allow people to sandbox
discussions, to talk across each other. To skip volumes of content to just get
their little piece.

Having the feature degrades the forum community imo, irrespective of who does
and does not use it.

I'm a guy who likes old school forums though, so, you know, my opinion is
probably not worth that much ;)

~~~
KajMagnus
Seems you've had a bad experience with mentions. Maybe people have been using
them in the wrong way, where you've seen them.

At work, we were using Slack, and @mentioned each other "all the time", and
I'm fairly positive we would have abandoned Slack if people couldn't mention
each other. Mentions are like going to the other person, and saying, "Hi, look
there, you knowledeg & help is needed over here a short while". And then the
other person takes a look, replies with help or status update for example.

Our mentions were related to _none_ of driving clicks or opens or engagemenet
— instead, it was about getting work done, directly rather than ... some day
later when the person happened to maybe see the relevant comments.

~~~
Ntrails
Then you're now talking about Slack instead of a forum. They're distinct
entities, with distinct purposes.

Or not, maybe the line is so blurred by now that people can't handle actual
forums anymore. If I wanted a chatroom though, I'd be in a chatroom.

------
mseebach
Ok, sorry, bitter old man coming through: this is Web 2.0, not 1.0. For all
the buzzwords, Web 2.0 was defined by the dynamic interactive solicitation of
user input as opposed to Web 1.0 being just static HTML. I don't think we've
coined a good catchphrase for fat applications implemented in tons of
Javascript with only lightweight AJAX calls to the backend.

And then, of course, there's Web 0.1:
[https://thedailywtf.com/articles/Web_0_0x2e_1](https://thedailywtf.com/articles/Web_0_0x2e_1)

~~~
CM30
Nah, this is as 1.0 as you can get, assuming you're not asking for completely
unstyled text. Forum scripts with this sort of simplicity were around for
decades, with UBB being created in 1996 (and having significantly more
features than this software), and basic scripts like WWWBoard dating back to
1995 or earlier.

It was AJAX and processing data via JavaScript that was a web 2.0 thing (for
the most part), not just submitting forms in general.

~~~
mseebach
2.0 is not about a switchover date, it's functionality, or even philosophy.
Mid-90s forums would be understood as visionary betas of Web 2.0 under this
terminology. I concede that Orange Forum is definitely very early 2.0,
possibly even very late 1.0, but it it most definitely not "as 1.0 as you can
get". That would be static websites with at most a guest book and/or email
form.

------
candiodari
The irony is that because of the lean structure behind the server, this forum
actually responds faster than most webfora that do use AJAX/SPA.

Funny given that the whole purpose of AJAX/SPA was to reduce response time.
That's it's reason for existing.

Turns out it just complicates things ...

~~~
elnygren
I think what you say makes no sense at all.

The idea of AJAX/SPA was to provide interactivity and a less technical UI that
caters to the average Joe. AJAX/SPA moves some of the computation from the
backend to the frontend so the service scales better for millions of users.

This forum is not going to be fast for millions of users (it might not even be
for hundreds of simultaneous users) because the server has to render
everything again for everyone.

Server side rendering is good for response times, that's why the SPA world
went back to it (Google: react ssr). SPA is good for scalability and average
Joe UI.

...and AJAX is there so we don't need to do a full page reload all the time.
Again, not because of response times.

~~~
combatentropy
> AJAX/SPA was to provide [...] a less technical UI

I hadn't heard that reason before. Can you please talk more about this?

> This forum is not going to be fast for millions of users (it might not even
> be for hundreds of simultaneous users) because the server has to render
> everything again for everyone.

This theory doesn't match reality. In reality, multipage applications are
faster than single-page ones. In fact, most things on the internet still are
multipage, including web forums. Most web forums are powered by PHPBB, a
multipage web app, and they were powered by PHPBB 15 years ago, when hardware
and PHP were much slower. This very site is a multipage web app, and it holds
up just fine, even though it has enough users to bring down other websites.

Single-page applications seemed like they would be faster, but usually they
aren't.

First, let's look closer at a multipage application. All of the scripts,
styles, and images should be cached after loading the first page, if you set
the headers right (the Expires header, mainly). Therefore, what is left? The
content. And I have found that the size of the HTML content is often close to
the size of the same thing in JSON --- at least the way I write HTML (I try to
keep it lean. Few classes, extraneous divs, etc.). This is because JSON has
all those keys:

    
    
        {
            "color": "red"
        }
    

while HTML has just the values:

    
    
        <div>red</div>
    

That was a simple example, but I measured a bigger one, and the size turned
out to be about the same, especially after compression. All of those HTML tags
compress well, because of repetition.

Now if they are the same size, then they should load in the same time. Except
they don't. The server-rendered page loads faster. Why? Because of progressive
rendering. When just some of the HTML has come down the pipe, the page
appears. But with AJAX, all of the JSON must first load, then be parsed, then
wrapped in a template, then inserted into the DOM. Then it appears all at
once.

~~~
elnygren
> Can you please talk more about this?

Average Joes want spinners, buttons, draggable stuff, toggles etc. that don't
lead to a page load everytime you press them. Sure, you can say that "well
just make a multipage app with some jquery". But at some point you're just
approaching a SPA with SSR support.

Imagine facebook's chat but everytime you hit enter you had a full page reload
:D

> In reality, multipage applications are faster than single-page ones.

I agree. They are faster for a single user when the usecase is a semi static
page like a forum. However, the SPA + API model makes stuff easier for the
backend side and allows that average Joe UI stuff. It scales well to millions
of users.

The thing is, it's not about you. It's about everyone. We want to build
services that please the majority and backends that stay up when the majority
is logged in.

Also, it really isn't possible to build realtime/dynamic stuff with a "let's
render some HTML on the server" mindset. How do you do realtime chat? Realtime
games? How do you do a collaborative text editor? and so on.

JSON/SPA/AJAX are not there to so your static forum page loads fast. They are
there because of the next generation of the web.

------
baby
I'd recommend you to use Argon2 instead of bcrypt for storing password. It has
won the Password Hashing Competition last year and is the recommended way to
store passwords. Bcrypt is not bad but it could be used with insecure
parameters while Argon2 does not have insecure parameters.

The way you create cookies is also insecure, you should be using crypto/rand
instead of math/rand AND rather hex.EncodeToString() the result instead of
just generating random numbers in the alphanumeric range.

~~~
tptacek
The math/random point is well taken.

The hex.EncodeToString() point is a nit. Generate 128 bits of randomness, and
then encode it however you'd like. The track record of people trying to get
"generate random numbers in the alphanumeric range" isn't great; it's an
opportunity to reintroduce bias. Start with a random token of sufficient size,
then encode.

The Argon2 vs. bcrypt thing is unhelpful. It does not matter what password
hash you use, so long as you use a hash designed for password storage (ie: not
"salted SHA-2"). Bcrypt is fine. I prefer scrypt, for the obvious hardware
tradeoff. I don't recommend Argon2 to people (or tell people to stop using it)
because of the library support issues.

But I think it's specifically a bad idea to tell people to switch password
hashes from bcrypt (or PBKDF2) to the trendy new hash. The security benefit of
"upgrading" from one password hash to another is marginal.

(Obviously, the benefit of switching from "salted" hashes to real password
hashes is not).

~~~
ktta
Where do you think Argon2 should be present before it is considered to have
good library support? AFAIK, it is in libsodium, debian, ubuntu, and other
distros.

And I think one can also make mistakes with scrypt when choosing parameters
which Colin himself acknowledged. So isn't it time to go ahead with Argon2?

~~~
wybiral
This project is in Go and Argon2 isn't a part of the standard crypto
([https://golang.org/pkg/crypto/#pkg-
subdirectories](https://golang.org/pkg/crypto/#pkg-subdirectories)) or
additional crypto
([https://godoc.org/golang.org/x/crypto](https://godoc.org/golang.org/x/crypto))
libraries.

There are a few 3rd party implementations... But is it more secure to use a
lesser known 3rd party package to have Argon2 support or is it more secure to
use the more widely adopted bcrypt package supported by the Go dev community?

~~~
ktta
>This project is in Go and Argon2 isn't a part of the standard crypto

I was talking about password hashes in a general sense, not just about the
current project.

------
arunc
Interesting.. Looks sleek.. DLang forum [1] is similarly lightweight and it
runs as a newsgroup, IIRC. Source code at [2] and previous discussions on HN
[3]

[1] [http://forum.dlang.org/](http://forum.dlang.org/)

[2]
[https://github.com/CyberShadow/DFeed](https://github.com/CyberShadow/DFeed)

[3]
[https://news.ycombinator.com/item?id=3592769](https://news.ycombinator.com/item?id=3592769)

~~~
golangnews
See also [https://golangnews.com](https://golangnews.com) \- an HN inspired
forum written in Go and hosted on a $5 instance, holds up pretty well.

------
throw2016
The old style forums are showing their age and need to be modernized but not
abandoned. See the Archlinux forums based on Fluxbb. It's fast and effective.

The newer ones led by Discourse, Nodebb and Flarum have completely gone in
another direction in reinventing how discussion forums should be and perhaps
gone too far. They feel strangely 'rootless' and completely lack the
'community feel' of user forums.

This looks promising for something fast, lightweight and easy to deploy.

~~~
JoshMnem
The UIs on those three should be dialed back (animation, JS), but Discourse is
pretty good otherwise.

I've looked at all three:

* Flarum had nausea-inducing animation, and now it overrides natural scroll behavior. (Please never do that to users.)

* NodeBB had some problems when I was using it. If JS is disabled, even the homepage links don't work. Forums should be server-rendered.

* Discourse could be improved by removing most of the animation and Material Design creep (bad for motion accessibility), but other than that, it's the best at the moment. It would also be nice to have easier, full theme customization. Maybe it's in there somewhere, but I haven't found it yet.

I would like to see forum software that has the feel of classic forum software
(like Flux), not in PHP, that is server-rendered, with a very minimal default
theme (no animation) and minimal JavaScript, and that has many of the modern
features of Discourse.

~~~
KajMagnus
Then maybe you'd be interested in EffectiveDiscussions, like, item 4 in your
list:

[https://www.effectivediscussions.org](https://www.effectivediscussions.org)
(I'm developing it)

I have copied ideas from Discourse — so yes it has some of Discourse's
features. Plus features from Slack (i.e. chat), HackerNews (best comments rise
to the top) and StackOverflow (question-answers) & Disqus (embedded comments).

More things you mentioned: It's not PHP (it's Scala instead, in Docker
containers), it is server side rendered (React.js), fairly minimal Javascript:
150 kb JS on page load.

~~~
JoshMnem
Looks good. One suggestion: it doesn't work with JS off, so I don't see
content when I arrive.

I made a personal commitment not to use Facebook's software (React) whenever
there are suitable alternatives available, because I don't want to support
that awful company in any way, but hope that your project goes well.

~~~
KajMagnus
Interesting commitment. Can I ask which URL didn't work for you, & which
browser?

For me, when I disable JS in Chrome Dev Tools, the website still loads
properly, incl homepage, forum index and discussion topics. (but one cannot
leave comments, that still requires JS). I tested a bit in Lynx also.

~~~
JoshMnem
And regarding the commitment not to support FB, it's because using FB's
software supports FB, and FB is terrible for society. I don't want to support
them (wherever possible), even if just in a small way.

[https://www.theguardian.com/technology/2017/nov/09/facebook-...](https://www.theguardian.com/technology/2017/nov/09/facebook-
sean-parker-vulnerability-brain-psychology)

------
z3t4
How can a few lines of text _load so fast_ !? Are we so far into the Obesity
Crisis that people find this impressive ? :P

~~~
pjmlp
Yes we are, when web sites have more JS code than what Doom or Quake required
in floppies, to display static text.

------
emrekzd
The term "Web 2.0" is an unfortunate choice and as a consequence it has been
rarely used correctly. Funny enough I've been to a Web 2.0 Conference about 10
years ago where almost every speaker used it incorrectly.

Web 2.0 has nothing to do with a technical revision or change in the Web. It
was used by Tim O'Reilly back in 2004 (and became popular) and refers to the
rapid change in the way the web is used, more specifically the switch from
static web to user generated content.

I'm sorry but your forum is all about UGC, and AJAX has nothing to do with Web
2.0.

------
binaryapparatus
Works beautifully with w3m which has become my main site test lately. Another
great example is HN itself.

If it doesn't work well with w3m something is wrong with the site philosophy
or execution.

~~~
weberc2
> If it doesn't work well with w3m something is wrong with the site philosophy
> or execution.

Point of clarification: "wrong" according to your moral philosophy about web
sites, even if it's one I happen to share.

~~~
xyzzy_plugh
What's the other sort of wrong?

~~~
wastedhours
Being objectively wrong.

Philosophically wrong is using technology that limits the web from being what
the interpreter expected, as in this example (there's still a rational reason
in this case to do it the "wrong" way and it's based on personal morality).

Objectively wrong being trying to make a website out of custard.

------
Aardwolf
So much whitespace in the demo. Real web 1.0 forums can fit way more thread
titles on screen ;)

~~~
czep
> So much whitespace in the demo.

This. If you want old school, go with 10px Verdana, and pad sparingly. I want
information, not negative space dammit! With pine, my email editor in 1995, I
could read 40 subject lines on a 640x480 screen. With Gmail (in compact mode)
on an MBP retina, I get 36. Progress, indeed. Designers 1, Users 0.

~~~
HumanDrivenDev
The amount of padding in modern websites drives up the wall. The idea that I
bought a 24" monitor just so I can read text in fullscreen is ridiculous.

One trick I often use is to have the window take half (or less) of the screen
and spoof my browser to be Chrome on Android Kit Kat. I just wish there was a
change to have a different browser spoofed per tab, or maybe a "whitelist" of
websites that are designed well enough that I won't pretend I'm on a phone.

~~~
sitkack
Added your ideas to my notes file.

------
Xeoncross
Five years ago I wrote a 5KB PHP forum system I called
[https://github.com/Xeoncross/forumfive](https://github.com/Xeoncross/forumfive)

It relied on BrowserID though so it's no longer working and I was thinking
about re-doing it using Go so I'll look at this.

------
Eyas
Looks like you'll need to start moderating this already, as of an hour ago, at
least.

The process of setting up a public sandbox for users to play with seems like
it should be easy, but abusive/obscene posts by users make a testing sandbox
unusable/NSFW very easily.

~~~
czep
What are good strategies for combatting such abuse? Validate email before
posting, forbidden word lists, active site moderators?

~~~
mrSugar
Only thing that works is active and ongoing moderator involvement, plus a well
implemented "report/flag post" feature.

------
scrumper
The live demo is already full of trolling _sigh_. So yep, it's a forum.

Nice and fast though. Good work.

------
swlkr
I love this, this is how I've been writing my latest projects, with very
little js and it's been a huge productivity booster.

------
sturmen
I appreciate the philosophy. Is there a live demo so we can try it out?

edit: I turned on my brain and found the link was on the homepage the whole
time.

~~~
noughth
Yup, the site links to a hosted version here:
[https://groups.goodoldweb.com/](https://groups.goodoldweb.com/)

~~~
bovermyer
That's a very concise privacy policy, heh.

------
shpx
Here's one written in lisp ;)

[https://github.com/arclanguage/anarki/blob/master/lib/news.a...](https://github.com/arclanguage/anarki/blob/master/lib/news.arc)

------
foxhop
I really like this movement of going back to the basics, web 1.0 style web
apps/sites.

I do feel however that there can be a compromise, I think we can build our web
applications in the 1.0 style and power them up in the 2.0 style, allowing the
capability of the client drive the presentation of the application.

For hints on how I'm doing this for Remarkbox
([https://www.remarkbox.com](https://www.remarkbox.com)) - please read
[http://russell.ballestrini.net/capability-driven-
presentatio...](http://russell.ballestrini.net/capability-driven-
presentation/)

~~~
reacharavindh
I looked into your work - remarkbox and read through all the while
hoping/wishing for there would be a self-hosted version that is not
prohibitively expensive for a free personal blog. No luck for me. Back to
tinkering with self-hosted isso[1] comment system to make it work for me.
[https://posativ.org/isso/](https://posativ.org/isso/)

~~~
KajMagnus
Since self-hosted is a requirement (?), then you might also find
EffectiveDiscussons (ED) interesting — here's how embedded comments looks:

[https://www.kajmagnus.blog/new-embedded-
comments](https://www.kajmagnus.blog/new-embedded-comments) (scroll down to
the bottom)

it has more "modern" features than Isso, e.g. FB and Gmail login, & some new
ideas. Here's an about page with more info:
[https://www.effectivediscussions.org/blog-
comments](https://www.effectivediscussions.org/blog-comments)

(I'm developing it.)

Embedded comments requires JS, but ... the discussion forum part of ED (not
embedded) works like Web 2.0, that can fallback to Web 1.0 (I mean, static
HTML with no JS). Although this is only partly implemented.

------
kgthegreat
Take a look at [https://hashnode.com](https://hashnode.com) if you want to see
fast MERN[1] stack forum

[1] [https://hashnode.com/post/hashnode-looks-pretty-amazing-
its-...](https://hashnode.com/post/hashnode-looks-pretty-amazing-its-very-
fast-smooth-and-looks-client-heavy-i-am-curious-about-the-stack-used-in-
hashnode-ciij5a1k101mplc536dav792z#ciijdrq8w01uxlc53ci1jvn5j)

------
pcunite
This post is hilarious!

[https://groups.goodoldweb.com/topics?id=67](https://groups.goodoldweb.com/topics?id=67)

------
maxpert
Likes on bringing such a retro concept back; but seems like you don't have any
kind of spam control :D would be nice to have one.

------
KajMagnus
Can I ask what (if any) are your future plans with this? And what's the reason
you decided to create it? (only to showcase web 1.0 style forums, or ... other
reasons too?)

For example are you planning to provide hosting?

Continue developing the open source version and add features like spam
protection? Google and FB login?

~~~
deafcalculus
I'd been working on this on-again off-again for a while after reading Dan
Luu's post on page bloat[1].

I'll provide hosting if anyone wants it. That said, ease of deployment was a
major consideration right from the start. That's why I chose golang over
Django/Rails and decided to offer SQLite as an option to support quick
deployment for internal / low traffic sites.

[1] [https://danluu.com/web-bloat/](https://danluu.com/web-bloat/)

~~~
KajMagnus
Ok thanks for explaining :-)

(I've seen Dan's post me too in the past, it inspired me to try to remove lots
of JS from some similar stuff I'm building.)

------
meehow
I think you guys are awesome. Keep up good work. Battery, CPU and RAM of my
laptop are having the same feeling. Can I deploy it as fcgi script on cheap
shared Apache hosting?

~~~
deafcalculus
Thanks! FastCGI is currently not supported. If your shared hosting allows you
to run a binary that accepts connections on some port, it should work with
Apache as a reverse proxy. I'll add fast cgi soon. It should be easy enough
since golang's net/http supports it.

------
devmunchies
in the demo when a response is massive it takes a long time to load. example:
[https://groups.goodoldweb.com/topics?id=33](https://groups.goodoldweb.com/topics?id=33)

It needs to limit entries to a certain number of characters where you can
click a "see all" button to see the rest of the long entry.

~~~
deafcalculus
I missed limiting the size of user inputs. Will fix it soon.

------
lecarore
Resetting the form if there's any error in the input is not the nicest UX.
Like special characters in the name of a group

------
nategri
Any support for images?

~~~
deafcalculus
Images are supported, but it's disabled in the live demo.

~~~
protomyth
Good plan for your own sanity. Is there a way to disable the signup and just
load users?

~~~
deafcalculus
Signup can be disabled. Loading users will need some SQL.

~~~
protomyth
Thanks, SQL doesn't bother me much - I just was looking at it for suitability
for a student forum.

------
dzonga
the live demo could hardly render well on my browser.

------
jksmith
Hell yeah golang templates rock!

------
hasenj
This is cool. I've been thinking about this for a while. The best way to write
high quality web applications is to use compiled languages and minimize the
complexity of the infrastructure by using e.g. SQLite instead of PostgreSQL.

I hope this trend starts to pick up more steam and become the sane default
that everyone just assumes. Instead of the current mess where everyone assumes
that it's "normal" to live in this messy world of countless abstractions and
frameworks and micro servers, etc.

~~~
iamd3vil
SQLite is ok if you don't have much traffic (for example personal blogs), but
you can't replace a db like Postgresql with SQLite if you have lot of
concurrent traffic.

~~~
hasenj
99% of the internet can use SQLite. Not just "personal blogs".

Just about anything that's not facebook/twitter/google.

I think you underestimate how much load it can handle.

~~~
muxator
Supposing that your server-side tech uses multiple workers to render pages, I
suppose you have to serialize the access to the SQLite file. What is the best
way to do this?

~~~
deafcalculus
SQLite can handle concurrent reads, but needs to lock the entire DB when
writing. Multiple workers shouldn't be a problem per se, but if you need
multiple workers to support the traffic, then maybe a client-server db like
postgres is a better choice.

~~~
hasenj
Writing does not lock readers if you use the WAL feature (Write-Ahead Log,
introduced in 2010)

[https://sqlite.org/wal.html](https://sqlite.org/wal.html)

> WAL provides more concurrency as readers do not block writers and a writer
> does not block readers. Reading and writing can proceed concurrently.

~~~
deafcalculus
Right. I meant it doesn't support concurrent writes.

~~~
zaarn
On any personal website, that shouldn't be much of a problem, most blogs have
only a few writes at a time

