Recently, I’ve been learning more about this subject. Today I came across the Decentralization Scoring System and it slapped me across the face.
It’s a buzzword like AI but for lefties
I think this scoring system is missing Language Support as an important aspect of decentralization. Centralization happens not just through commercial hosting (centralization of ownership), but even through self-hosters being in a relatively centralized locations, limited jurisdictions, etc: an app with 300 self-hosted instances all located in one city (or even just all within 5 Eyes countries) is much easier to shut down than an app with those 300 spread across the globe, and language support is important to help facilitate that level of decentralization.
If we’re talking takedown-resistance, we may need to enter the dark web realm:
- Tor hidden sites are inherently hard to pinpoint
- ZeroNet was an interesting project, seems to be abandoned
- I2P is like Tor on steroids, can publish all sorts of services
- IPFS is a decentralized P2P storage system (best/worst known for NFTs)
FreeNetHyphanet is a 25+ years old distributed content system with limited support for services- FreeNet is… honestly, haven’t seen a working example, but it sounds interesting?
- Matrix… if they manage to get things under control
- Nostr is a censorship-resistant distributed messaging system
Hosting distribution and localization varies, but they all have features to make it hard to pinpoint host and/or client locations.
Takedown resistance is a natural consequence of decentralization, but it’s not decentralization itself.
Technical means to evade takedown like you’re describing also tend to add complexity which reduces usability, whereas language support reduces complexity for speakers of the supported languages.
I think this scoring system is a little haphazard, and should probably be divided into multiple separate, parallel scores. Takedown resistance needs its own score, based on ability to integrate with anonymization tools, ownership of codebase, accessibility and security of dependencies, etc.
Everyone that thinks self hosting E-Mail is easy, I urge you to run your own mailserver and see how many mails actually reach their targets.
Your mailserver won’t be trusted by anyone, which makes your email always be delivered as spam, if they don’t get blocked outright.
Otherwise this scoring system seems to be quite alright. Even though it could use some more detail and citing some sources for the numbers would be great.
Self hosting emails is a pain, but I’ve been doing it for almost 2 years and I do not have any of these issues. I’m not an expert either, I just thoroughly followed a tutorial to properly configure dmarc, dkim and everything else and everything just works (I just hope I’m not jinxing it by writing this :D )
Glad it worked out for you!
But it’s definitely one of the deadly sins of selfhosting.
How many users are you supporting? And how frequently do they complain about spam, delivery issues, and that sending that last email with a 5G attachment keeps failing…
I can’t send a 20mb attachment with my email.
I appreciate this is admin configuration issue.
Nobody thinks self hosting email is easy. Wtf.
I’ve been self hosting my email for a long time, but I use an outbound SMTP relay so I don’t have to deal with IP reputation. The more interesting part to self-host is the receiving part, not the sending part.
Email should not score this high. Self hosting an email server is a pain in the ass because every other server sends you to spam by default.
The real issue is lack of community-run ISPs. We can self-host all we want, but we’re still using the network paths of major providers when data is in transit.
More community run mesh networks. More community run fiber networks. Generally, just more community, less business.
There are many community networks out there, but they require more dedication and funding than simply paying an ISP, for a worse service. It’s a hard sell to the average doomscroller.
The EFF scaled down their efforts for OpenWireless.org after it became obvious that they’d have to support hundreds of different hardware models, and ultimately abandoned the project.
A couple decades ago, Fon tried to build a mixed community-commercial network with their own standardized hardware, but even the commercial incentive was not enough to keep it afloat in the long run. Some of the hardware got repurposed for community projects, but most of the best placed hotspots ended up in the trash, replaced by municipal and ISP networks.
In many places, fiber is a no-go. Like, in my city there was a large move to get fiber to most houses over a decade ago, but after the first deployment of a handful of ISPs, the city stopped giving permits for additional deployments: lease from one of the existing ISPs, or you’re SOL.
I think the most feasible solution is municipal internet, where the city owns its own fiber lines and essentially runs it like a non profit. Good cities that do this don’t see it as a profit center; they see it as providing a critical service to their residents. Some of the maintenance cost comes from taxes, just like roads, public schools, etc.
Palo Alto California is doing this. They’re modernizing their electricity grid, so they’re also running fiber at the same time as running the new electrical lines. Electricity in Palo Alto is run by the city, and as a result, electricity there is less than 1/3 of the price of electricity with PG&E, the investor-owned utility company that supplies most of Northern California.
More community run mesh networks
That’s kinda what settlement-free peering at an IX (internet exchange) is. Multiple networks agree to connect to each other for free. Of course, the networks are usually large ones, so that kinda goes against your other points.
I’m only aware of people using ham radio for community mesh networks.
Are there more sophisticated community networks? Or do you just mean something like an ISP cooperative group?
Or do you just mean something like an ISP cooperative group?
Yeah something more like this.
Realistically, more people need to self-host, or at the very least we need more mon-and-pop style datacenters. The foundational protocols of the Internet inherently make the web decentralized, but most would rather offload hardware costs and, more importantly, security, to those more knowledgeable. Not that I blame them, as running one’s own hardware is extremely time intensive, nevermind power and equipment costs, but it’s no wonder that conglomerates have stepped up to fill that role (nevermind economies of scale). Yet, this is how we’ve fallen into the situation we are in now.
mom-and-pop style datacenters
I find this wording very funny for some reason. I do wonder what a more-decentralized internet would look like though, rather than 90% of it being in the hands of a few megacorps.
I honestly think the drivers model has some merit to it, and it’d be interesting to see federated data centers. I dunno how well it would work out, but it would be interesting.
Risk is also a factor re: self hosting.
- You’re exposing potential attack vectors, which is particularly concerning if self hosting = home hosting.
- Also with home hosting, it’s probably against your ISP’s TOS. It is for mine (I actually read it!). Will they do anything? Probably not. But it’s a risk.
- You could face legal issues if someone posts illegal content, since you’re hosting it. Even unwittingly.
Those concerns are what stop me. Because I otherwise think I’d enjoy hosting a little corner in the fediverse.
Valid points. Also too, the cost associated with a business class data plan that actually allows hosting. If you think about it, it really is an arbitrary restriction put in place by ISPs to goad those who want to leverage the internet’s potential into more expensive plans.
business class data plan that actually allows hosting
You can get a VPS for $30/year with 4GB RAM, 25-35 GB SSD. Still good enough to host some things! Self hosting doesn’t mean it has to be at your house. In some cases, using a VPS ends up cheaper than just the electricity cost for hosting at home, let alone hardware costs, internet costs, etc.
more people need to self-host, or at the very least we need more mon-and-pop style datacenters.
most would rather offload hardware costs and, more importantly, security, to those more knowledgeable.
running one’s own hardware is extremely time intensive, nevermind power and equipment costs
These three points that you’ve made are NOT accurate. I could go into great detail as to why this is but I won’t waste our time nor embarrass you.
The problem, unfortunately, always comes down to money.
This isn’t a technological problem.
All of the popular widely used corporate platforms gain more users because they have the money in which to market/advertise themselves.
Wtf??
What the hell are you even smoking???
I do agree with one tiny little bit of your list, though, and that’s the fact that your rebuttal would, in fact, be a waste of time.
There are a few things I don’t like about this scoring system :
- Why is there a “Top Provider Content Share” metric if its gonna score the same as the “Top Provider User Share” every time ?
- Why is the Top Provider Content Share not higher than the user share ? For instance, emails usually have at least one sender and one recipient, making it twice as likely that at least one of them is using gmail. If an email has 10 recipients across 10 different providers, each provider has a copy of the data
- Why is ease of hosting a mail server rated so well ? How is “leveraging email hosting services” decentralized in any way ?
- Why are we using a random repo created a few hours ago by a random github user as a reference ?
Self-Hosting: Server: Easy (Leverage email hosting services) → Score: 18/20
Is it really self-hosting if someone else controls the data and software?
I run my own mail server since sometime late last century, and it’s gotten progressively more difficult over the years. Not setting up the server, that part is easy. Hardening it is a bit more work. But what’s making it nearly impossible is the big players’ anti-spam (or should that be in quotes) measures.
My mail server checks all the boxes it should - TLS, SPF, DomainKeys, DMARC, a domain name that’s been around for decades, same hostname and IP address for years, never been on any block list, … yet still e-mails relayed by it are tagged as spam for increasingly ridiculous reasons: it’s a residential IP (actually it’s not), the PTR record doesn’t match the A/AAA record (yes, that server has multiple jobs and multiple host names - not that unusual), the domain name is suspicious (same owner and tech-c for decades, same IP and SPF records for years), … if I didn’t know better, I’d suspect that MS, Google etc. just use their spam filters to make life difficult for anyone outside their oligopoly. But that’s probably just beause I’m a cynic.Spam protection is hard given SMTP was never designed with it in mind.
I also self-host my email, but I use an outbound SMTP relay to avoid having to deal with all that stuff. My server sends outbound emails to a company that’s got that all figured out.
Maybe that’s not “true” self hosting, but it’s really no different to people that self-host but put Cloudflare in front of their server, apart from the direction (Cloudflare is for inbound traffic whereas SMTP relaying is for outbound traffic).
What is this shady, unsubstantiated, posted yesterday ass random github repo trying to encourage people to compromise their email security and why is it worth posting?
It’s meant to explain what decentralization is and is not. That’s all.
i like this scoring system, and not one piece of information surprises me.
What surprises me is that they count using an email service as self-hosting. With that logic wouldn’t bluesky get a high score because people can bring their own domain easily?
email can be run using hundreds of servers on dozens of platforms even from your own house and interact with the email network.
youre not doing anything like that with bluesky. even with the domain thing, there is only a single bluesky router that everyone connects to.
no one is self hosting a bluesky router
email can be run using hundreds of servers on dozens of platforms even from your own house and interact with the email network.
It’s nice that it can, but the point of this list is is that what actually happens for the majority of people?
And from my experience, the answer is no, the vast majority of people use Microsoft or Google.
This claim is “Top Provider User Share: Google ≈ 17% → Score: 27/30”
Where does this number come from? Gmail alone claims 1.5 billion active users. Outlook.com has 500 million. But then you have to start adding up all the email users worldwide that are using services hosted by Microsoft (all the Exchange business customers), and the google customers as well (that may or may not be included in the Gmail figures). Then there are all the ISP email addresses that use these services as the provider.
I find it hard to believe that email is as decentralised as claimed here, and I’m really keen to see more data on how it was calculated.
The reason I find it so hard to believe is that when Microsoft fucks up (and given time they always do), a significant portion of the business customers I deal with get affected.
i personally know dozens of people self hosting email. tens of thousands of businesses have been hosting their own email for decades. i dont think you can take self-hosting away from email by pointing out the billion users are 17% on google (or whatever).
im not disagreeing with you that the big guys have big market share, but email is vast and ubiquitously self hosted.
I just really want to see where the numbers come from.
You know people self hosting email, I know people self hosting email. But that is certainly not the case for the vast, vast majority of individuals. For businesses, I have seen Exchange take over what used to be smaller hosts, and Google has broken into the small/medium business world as well. I have searched and searched and found nothing, but I don’t see why it should be so hard to do. Obtain a list of email addresses from some data breach (I dunno how but I’m sure security researchers do it all the time) then check their DNS to see what proportion point at big tech. My gut feel is that it’s a large proportion, but maybe that’s just the corner I work in.
Since when can you self host bluesky?!?
Edit: I dont see any mention of how to install a bluesky instance in their documentation https://docs.bsky.app/
@jagged_circle You don’t install a Bluesky instance, rather you host your own PDS, or your own web client, or the feed part. It’s all a mess and the latter has very high system requirements for one to self-host from what I understood. Basically, it’s impossible if you’re not a company with the willing and the money to do it.
If decentralization actually happens on Bluesky, it will be more confusing for the average person than with something like Mastodon.
https://github.com/bluesky-social/pds
Also, it isn’t ‘decentralization’ in the strictest technical sense. That’s what the Decentralization Scoring System is trying to show.
It shouldn’t be on the list if it isnt decentralized
Just some parts of it. https://github.com/bluesky-social/pds
Technical ease of running your own backend. Full points for Docker/simple setup with good docs.
Oof, they neef a column for security to mark back down all the services that use docker.
How does Docker reduce security?
It downloads things without checking signatures by default. And even if you enable DCT, it TOFUs every key without even asking or checking against a WoT
Basically, using docker means you could run malicious code (arbitrary code execution) in your container because it doesn’t verify what it downloads.
The bright side is, that you run it in a container. Beware of privileged mode, don’t give it unnecessary mounts or networks, and there’s very little some malicious code can do.
If you’re using it for a build system, tough luck but you need to manage the keys to avoid TOFU, and ideally pull from your own registry.
A container that has access to all the data on the database. All the users data is compromised. And the attacker can execute malicious JavaScript on the users.
There’s nothing bright about using docker. Its a huge risk.
Removed by mod
deleted by creator
Removed by mod
