Hacker News new | comments | show | ask | jobs | submit login
Patchwork – Decentralized messaging and sharing app built on Secure Scuttlebutt (github.com)
167 points by mercer 7 months ago | hide | past | web | favorite | 64 comments



If you want to check out the deep end, here's some writing which captures some of the _vibe_ of the community building this sociotechnical space https://coolguy.website/writing/the-future-will-be-technical...


Mixed feelings about these writings.

All great for the vibes, but _personally_ I'd rather read tutorials on how to get it running easily on an old solar powered raspberry pi, or how to install it on my dad's phone. The introductory video [0] to Scuttlebutt is an excellent example of concise, hands down, brief explanation on why this software is important (vibes + useful). Tutorials and brief explanation change the future better than solarpunk short stories. Rock on!

[0] https://vimeo.com/236358264


The getting started guide [1] is pretty comprehensive, I think. Let me know if there's something you think is missing. There phone version is _very_ alpha still. Installing it on your solar powered raspberry pi is just a matter of downloading the AppImage from the releases page [2].

I'd also note that if you actually have a solar powered raspberry you'll probably fit right in. There are a lot of "solarpunk" people on the network.

[1]: https://www.scuttlebutt.nz/getting-started.html [2]: https://github.com/ssbc/patchwork/releases


Yup been on sbb since saltz's article a while ago on HN, proud member of #solarpunk


forgot to mention. There's a post with instructions [1] for setting up scuttlebutt on a Raspberry Pi Pirate box. I'd link you to it on the web but the user has chosen not to have their posts shown on our public gateways, but if you join the network you can just throw this in the search field and you'll see all the details.

[1] %DI98y9SukdIcd0RW5mp9MRc0mxHziGLP/+PNUu59pO8=.sha256


Awesome! I've been using patchwork for some days and was always curious how to navigate to these ssb:// link i see thrown in places. You just throw it in the search field and you'll see all the details! top!


Thanks! As soon as i get it working on my arch laptop i'll try get it running on rpi


Is there a concise description of the ssb protocol somewhere? I tried reading the ssb website but it's too conversational; I can't get a grip on what the actual cryptography is.


This here is a great technical description of the protocol: https://ssbc.github.io/scuttlebutt-protocol-guide/


Oh cool! This would have been super useful while working on the Python implementation :)


And here's a doc covering only the secure network transport: https://github.com/auditdrivencrypto/secret-handshake


Here's a good overview video on it's use case: https://vimeo.com/236358264


There are many apps built on Scuttlebutt (the p2p database/ protocol Patchwork is built on)

Check them out here : https://www.scuttlebutt.nz/applications.html

That site also has a good FAQ and other background info.


Are there plans to implement the ssb protocol in a language other than JS?


I actually started working on a Python implementation last year. I have a fully working implementation of the Secret Handshake protocol:

https://github.com/pferreir/pysecrethandshake

I've also implemented packet-stream on top of it (and intend to produce a proof of concept client at some point):

https://github.com/pferreir/pyssb

My time got diverted into other things, but if someone wants to help out, feel free to contact me on SSB (ub|k) or Twitter (@pferreir).


There's someone working on a rust implementation at the moment. I can't find a link to the repository just now, but there's plenty of threads on it if you search 'rust' at the top right of patchwork (after installing and adding a pub.)

I'll find the repo and reply to this thread when I'm home later :)

There were some previous efforts towards a Go implementation, but I'm not sure how far along they got: https://github.com/maackle/ssb-igo

By the way, there's some beautiful protocol docs for scuttlebutt here: https://ssbc.github.io/scuttlebutt-protocol-guide/ =]


just noticed that the go implementation you linked to [https://github.com/maackle/ssb-igo] is actually "the game of Go on ssb"


Haha, woops! I meant https://github.com/andyleap/go-ssb

I guess it was muscle memory since I was looking at the ssb-igo repo earlier.


A great game, a programming language, and the 49th most common word in the English language walk into a bar...


Thanks, I really like the core ideas of ssb but the nodejs implementation and lack of a security review give me a lot of professional reservations. I'm inclined to fork and use a more off the shelf method of securing p2p connections. The practice of binding a "secure" web-server to localhost is also a bit [dubious](https://security.stackexchange.com/questions/86773/how-secur...).


What's your reservations about it being implemented in nodejs? It's not my favourite technology stack either (I much prefer scala / haskell), but it hasn't deterred me from using it or contributing to the project.

I wonder if a security review is something that can be funded through the open collective that is being set up (https://opencollective.com/secure-scuttlebutt-consortium ) or some other funding source.

By the way, the repositories that I mentioned earlier for the Rust implementation of the protocol in progress are mostly here:

https://github.com/AljoschaMeyer?tab=repositories


I have issues with js as a language but those are not security issues. My security-related issues are with the nodejs package infrastructure.

https://www.csoonline.com/article/3214624/security/malicious... The sprawling dependencies alongside potential security/breaking issues are huge. It is a large and vulnerable attack surface.


Fair play!


Some of the code you might be interested is _in_ scuttlebutt, as in there's a git implementation that lives in this p2p database / network. It's called git-ssb, and it has a github like interface.

https://github.com/clehner/git-ssb Here's a window into this p2p land : https://git.scuttlebot.io/ go gentle on it, it's a little server

Welcome to the cloud proper


there's also hosting of node modules over ssb :)


in addition to the already mentioned Rust implementation that's currently being worked on, i believe someone has already gotten some of the core functionality working in Red http://www.red-lang.org/


Congrats Dominic and co! I saw that even Julian Assange was recommending scuttlebutt on Twitter!!

A couple people have asked about browser based access and some people have replied that that wouldn't work?

Could somebody explain why? Me and Dominic have debated design a couple times, and on my own system we have P2P cryptographic identities working just fine in the browser (see https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-wi... for an example), so this should be possible with scuttlebutt also. Could anyone explain further?


Sorry to semi-hijack your comment there, but, could you perhaps outline the functional differences (besides the extremely obvious ones like "it's not the same protocol") between Patchwork, Briar (Check the 34C3 talk on Briar if you find yourself unfamiliar with it: https://www.youtube.com/watch?v=iRJ8vIh3dVU - albeit I kind of doubt that'd end up the case), and secushare (see http://secushare.org/comparison)?

They seem to try to cover many of the same points, but they also seem to have quite a few differences. I primarily ask because secushare hasn't yet updated their comparison page to include Patchwork (although it already covers SSB), and because that same page has yet to account for the release version of Briar.

Edit: Nevermind the difference to secushare, I've noticed secureshare has an entry on Patchwork in their FAQ, just not on their comparison page: http://secushare.org/answers


Apologies, I haven't heard of either of these things before. So you'd know more than me!


Browser based access is absolutely possible. Not only that it exists.

It has 2 forms: If you want a read-only version of the network there are a couple servers that do that. It's useful for showing people who aren't on ssb interesting conversations.

If you want to actually interact with the network that's possible too but there are... limitations / issues.

There are 2 aspects to this.

1) it's a distributed network. So, either you need to stick a client in the cloud with a web interface (Patchfoo [1] is just such a client, but the interface is.... meh) OR you need to run the entire client in your browser, and the problem with that is where do you store the data? You're going to quickly exceed the max of local store (i forget what that is but if you start following lots of people and they post photos you're going to exceed it).

2) You can't afford to loose your private key. SSB uses Public Key Encryption and as such if you loose your key you can no longer prove that you're you so you become disconnected from all your prior posts and people following the old you no longer get updates from "you" because "you" can't post as the old you anymore.

If you use multiple browsers then how would you sync the keys between them?

Also, SSB uses a blockchain for each user. If you have the same keys on multiple computers and one computer posts before it's synced up with the last post from the other computer then you've just forked your chain and it screws up everyone who's following you because you don't know which version of the chain each follower has ended up on.

[1]: https://github.com/ssbc/patchfoo


(1) is good! Great work!

(2) is a concern but ultimately depends upon the key management question - we already solved this and made an animated explainer videos of it: http://gun.js.org/explainers/data/security.html (and you can see a demo of it working in action in the parent posts, or just check the source code).

(3) the blockchain, yes that is problematic, and is exactly what me and Dominic were debating in 2014. If you use the CRDT approach (which is what we do) you don't have that problem.

So again, these are all things that have doable solutions, nothing can stop SSB!!! Not even pesky browsers.


Hi Mark. What's the underlying database used there?

SSB in the browser is a subproject we're pushing forwards sometimes, but it's progressing slowly. One of the main obstacles is IndexedDB which seems to be much worse (in many aspects) than LevelDB, upon which SSB used to base itself. Nowadays SSB is based on FlumeDB, which is often backed by just the filesystem. Then there are other obstacles like building P2P connections through WebRTC.


Good to hear from you Andre!

Yes yes yes WebRTC has been a ridiculous pain in the butt for me, which is why I still have websocket fallback as default - browsers really need to get their game together and improve WebRTC (I hear there is a new version coming up that should fix a lot of problems)

What database underneath for the demo? GUN of course, we added a framework called SEA (Security, Encryption, Authorization) which seamlessly integrates Web Crypto API in the background so app developers don't have to fuss with it directly or learn the Web Crypto API (which is poorly documented and very confusing, but a life saver that it is available at all!).

Huh, haven't heard of FlumeDB I will definitely check it out. Great progress BTW, super exciting to see the community grow!!! Yeah, IndexedDB has its quirks, I stuck with localStorage personally cause it works like a charm and is much faster than any perf I could get out of LevelDB (I must have been doing something wrong with Level, because it never worked as well as we were expecting).

I'm very excited to see a browser subproject of SSB, that will be great. If it helps at all, we're currently refactoring and modularizing SEA which may help with SSB in the browser even if gun isn't needed or used. Let me know!


Will this get an events organisation feature like Facebooks? Because if so, I'm sold. Or is it just like all of the other federated/distributed social networks that are limited to simple message feeds only?


It's already got an events organisation feature :). It's called 'gatherings' in patchwork (and other clients too.) Here's a screenshot of a gathering: https://imgur.com/PbB8R9q

Nope - it's not limited to simple message feeds. For example, I was able to implement a chess app and integrate it into one of the scuttlebutt viewer clients (patchbay): https://github.com/Happy0/ssb-chess. Someone's working on a Go (game) app too :).

There is an app for discussing and reviewing books too - and some of the messages for this app are rendered on the main feed too (alongside gatherings and other things.)

More information about apps here: https://www.scuttlebutt.nz/applications.html


Well. I will definitely be setting this up then. Thanks for the pointers.


Awesome :).

Let me know if you need a hand with any of the setup.


Well. I created a gathering. The UI gives me no indication of who can see it; if it's public or private. The UI gives me no indication of how I can "invite" people to it so they can see it (if it's even private).

The UI could do with some work.


You could create an issue on the patchwork github issues page (https://github.com/ssbc/patchwork/issues) outlining the changes you'd like to see, if you like :).

And / or start a thread in #new-people on scuttlebutt.


Here's a screenshot of a gathering rendered on the feed: https://imgur.com/a/NfCSL :D


So I see that in order to communicate outside your local network you need to connect to a pub.

Can you set up a private, invite only pub? Say for an organization or team?



i would actually recommend ssb-pub [1] over ssb-easy-pub.

ssb-pub is private and has no ui. You generate invite codes on the command line. ssb-easy-pub does provide a web UI so that people can request invite codes easily BUT the codebase is in need of some TLC and is difficult to get running easily.

ssb-pub is trivial to set up, especially if you use the one-click installer.

[1]: https://github.com/ahdinosaur/ssb-pub#readme


such a wonderful community of folks there. i log on once every several days and sus leave pleased. also, it’s a nomadic group, and i’ve been pleased to meet a few other community members in person.

i recommend SSB to my friends as the place to find me if all hell breaks loose


I have been using SSB for a while now. Great community vibe so far, and no ads!


How does this compare to Mastodon/GNU social? From what I can tell, this is inviting me to run a P2P program on my own system rather than on a server; is that just an implementation detail?


You've got it! You run a P2P system on your local machine... in theory, you don't need the internet to communicate. Messages can be sent via your friends hopping between LANs using the underlying gossip protocol.


it's like federation, but at the level of a user. Much easier to set up, much easier to curate / moderate what you want to see. There's still emergent community in the space, it's just not tied to the politics of hardware


I wouldn't say it's "like federation" at all. In no scenario do you have an entire group of people who suddenly loose their accounts and connections if the owner of the "server" they connect to decides to stop hosting it (as has happened with many mastodon instances).

In addition in works offline (including images). Many of us catch up with friends and reply to their posts when on the train, plain, boat, road, whatever and sync up when we get to a net connection, or local connection to a local friend with SSB.


> it's just not tied to the politics of hardware

What do you mean by this? Is there some sort of hardware politics battle in the GNU social community or something?


When someone else runs the server you use, and your account is tied to their server, you are at the whims of the server owner, and are not able to migrate your identity.


Can't wait for the mobile version, that will speed up adoption. MMMMM0[0] for Android looks promising

[0] https://github.com/staltz/mmmmm-mobile


Are there gateways to see how it works before trying it out myself?


It does not work like that, the gateway will not be able to show anything, and if you would like to go through a gateway you would have to share your secret key with that Gateway, which means full control of your log.

The first time you use Secure Scuttlebutt will be boring because it will be an empty town, you will not have anything and you will not see anyone's feed either. The magic happens when you start following someone or you are at the same network as someone else your client start downloading the log of your friend and the log your friend have stored from their friends, and the feed is filled with information. You will even be able to view your social network offline and you will even be able to do comments in other peoples feeds and it will sync when you are online again.

Most likley you will not be on the same network as anyone else which means you will not be able to see anyone so the solution is to walk in to a pub where almost everyone in the town are

You will find a list of public pubs which can be used in Patchwork to access other feeds https://github.com/ssbc/scuttlebot/wiki/Pub-Servers

What the Pub solve is that you can download a bunch of peoples feed without they and their friends have to be online.


Although I understand the purpose of a new user having no data on first use I do not agree with it. Using a platform for the first time can be foreign and it eases the mind of the user if they can see what it would look like day-to-day. Maybe just have some test material and a very obvious button to wipe it clean when they are ready?


If you follow the instructions in the Getting Started Guide [1] it will not be "an empty town". That would be a pretty crappy getting-started experience.

Just connect to a pub and you'll find tons of content.

I would also recommend AGAINST ever doing `rm -rf ~/.ssb` as one commenter suggested. That will wipe out your keys, and thus your identity, and you'll never be able to post anything as that identity again (unless you backed up your secret file or connected it to another identity (advanced usage)).

[1]: https://www.scuttlebutt.nz/getting-started.html


good idea, #somebodyshould implement it!

If you're familiar with terminal, you can start the app, connect to a pub, have a play, and when you want to reset _everything_ including your identity, run :

``` rm -rf ~/.ssb ```

(this assumes mac / linux) Next time you start Patchwork a new identity will be made and you'll be starting from fresh


Decent [1] is an entirely in-browser Secure Scuttlebutt fork with automatic key provisioning for easy onboarding.

[1] http://decent.gwenbell.com/

ETA: More explanation directly on http://gwenbell.com


https://viewer.heropunch.io/channel/heropunch

we also have a git-ssb gateway at https://git.heropunch.io

sbot isn't super fast so be patient but don't worry about overloading the server we have plenty of extra capacity


This sounds very interesting. I hoped for somebody starting a better(decentralized) signal client! Owning your own pub is nice.

You got me in! Thanks for sharing.


owning your own pub is cool, but most of us don't bother because you really don't need one to use the system. Well, you don't need _your own_.

There's active work going on to improve the support for private groups.

if you do want to set up a pub i'd recommend ssb-pub. It's trivial to get up and running (but is command line only). easy-ssb-pub provides a web UI that your friends could request invites from but it needs some TLC right now.

https://github.com/ahdinosaur/ssb-pub#readme


I really like this.

I decided to host a pub for tech enthusiasts.

technology.ssb-pub.com


cool. I see you've added it to the wiki.

You should probably mention it with the #scuttlebutt tag as well as just saying hello in #new-people :)


come join the community! there are good things to be discovered for everyone. fruitful conversations, ideas and people, not profiles.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: