---

Jeremy:

If you have to summarize your overall system architecture with this app – we've touched on Symfony, on your ORM – I already forgot the name of it again...

Alena:

Doctrine.

Jeremy:

Doctrine, right.

Alena:

For overall architecture, my site is a LAMP application. It is running with Ubuntu, Apache, PHP 8.1 and PostgreSQL. In your typical LAMP stack, the M usually stands for MySQL, but in this case, I'm running with PostgreSQL. And there are other components that are not web server components. There is an asynchronous queue system that is at play as well which processes all of the background work.

Jeremy:

What's that? referring to queue system

Alena:

That is another Symfony component. It's the Symfony Messenger component.

Jeremy:

Messenger.

Alena:

Messengers - You could think of it as a system where there's a database table of queued jobs to do, and a worker process just sits there listening, saying, “Check the database. Do I have any work to do? Do I have any work to do?” And when any new rows end up in the jobs table, the queue worker says, “Oh, there's work to do.” It grabs the row out of the queue, processes it, runs the job, and continues checking out work until there's no work left to do. This kind of enables an asynchronous style of programming that currently is not a native language feature of PHP at this point. In PHP, you can't really create a bunch of promises and await all of those promises to finish like you would in Javascript. So, having a queue worker system allows you to build asynchronous features with a slightly different approach. In this case, it would be more of a system where you dispatch work to the queue, and your queue worker, who's sitting there listening in the background, will pick it up and work on it. When writing code for a web server, you usually want web requests to finish as quickly as possible because you have a user who's sitting there who's either clicked a button, or who's refreshed the page, and they want to see something come back as soon as possible. You should send a response back to the user within a few hundred milliseconds or more to give the confirmation of saying, “Hey, the thing has been queued up to be worked on” or “We're working on it”. That can give a sense of confidence or a sense that your app is speedy or that things are working to the user. Whereas if your page sat there for five, ten seconds while something really long is running - that's something that, as far as user experience goes, is something you don't want the user to be stuck waiting for.

Jeremy:

Of course, got to reassure the users that progress is happening, things are moving along. I like the way you work around the lack of native async functionality. It's interesting to think about. The whole concept of workers is really cool; [it's] something that goes under discussed. When I learned programming [the field] was all [about] object-oriented this and that. It's wild to think how far things have come around. I know there's that one language that has workers as its fundamental core construct of doing anything. I forget what that one's called. [Editor's note: It's Erlang/OTP.]

Alena:

You'll have to mention that one to me. I'm curious.

Jeremy:

Oh, yes, I will. It's not OCaml. It's another one of those weird, niche, functional languages. It's not Clojure either. I forget; I'll get back to you on that. I know that on the web these days you have web workers, which you can use to run stuff outside of the main process. I'm pretty sure that's how those work. I don't quite remember... but it's cool that [there are] parallel approaches to the same problem.

Alena:

You bet.

Jeremy:

Just because you're lacking in a feature async/await doesn't mean you don't have a robust system in place.

Alena:

Correct. You can still do the same kind of asynchronous/multiple things at a time approach with a queue worker system. Because... a single worker can only do one thing at a time, true, but you can also spin up multiple workers, so that you can process multiple pieces of work at a time. Theoretically, an app with a worker approach, depending on how many workers you've spun up, could be much faster than a single process application that has asynchronous components. But that's all something that could be heavily, heavily debated about what approach is best for what thing.

Jeremy:

Right, right. But you always have to factor [in] scaling if you want your app to be used by anyone. These are good conversations to have early.

Alena:

Exactly. There's no one best tool out there. There are so many different tools and they are all equally well suited for different things.

Jeremy:

That sounds just about right. Well, I know that there's a worst tool for everything and it's the official KDE tool 🤡 No, I'm just kidding!

Alena:

There's a lot of KDE bashing going on. 🤨

Jeremy:

I'm a huge KDE aficionado; I love KDE, and so... as a hardcore KDE user, I reserve the right to trash KDE for free.

Alena:

Ya trash them because ya love them. 🥰

Jeremy:

Exactly.

Alena:

You want them to be great.

Jeremy:

I would feel bad if it was any other projects, but I don't feel bad for KDE. I've put way too much of my life into banging my head against the wall, trying to get KDE software to do what it's supposed to do. Anyway, 😅 was there anything that got you banging your head against the wall working on this project? What were some challenges you ran into? Was there anything that really took some time to get over? This is a pretty big app. There's a lot of code to it. It certainly took a while to make.

Alena:

Yeah, pieces that took quite a large time to get just right is... number one, pulling data in. Pulling data into the app, like the clinics, as well as processing them. This was a problem that took me a while to find the right approach. I knew that I wanted to pull in clinics from Erin Reed's data source, and I did not want any duplicates of them. I wanted to keep them up to date over time. The Erin Reed data source is a user Google Map, which can be exported in KML format, which is kind of like an XML maps format. I was able to write a scraper that would pull down that XML, parse through it, and create a bunch of database objects for each of those clinics. But the hard part is, over time, how do I make sure that I'm not continually re-importing the same ones? I ran into another problem that these clinic or location records did not have any kind of unique identifier about them.

Jeremy:

Oh no.

Alena:

Which is... problematic, because there's not really a great way to check if I have the record already other than taking some of the properties of the clinic and doing comparisons on records, like “do these couple fields match?”, and doing database searches like that. I landed on creating a hash of a couple of the clinic properties and saving the hashes. With the hashes of the clinics I have already, I can compare against the hash of new clinics, so that I can quickly know whether or not I already pulled something in. But what if I pull an updated clinic that has a piece of text slightly changed? Well, the hash is going to differ, of course. So the system is going to pull in that clinic, and now I have essentially two of the same thing, one which is slightly different from the other. Ideally, I don't want three or more copies of the same clinic, as things change over time. So my thought was, well, how can I figure out how to combine all of these duplicates, or flag all of these that are theoretically the same ones? If I'm going to pull in other datasets, like Southern Equality's dataset, I also want to be able to flag which of Southern Equality's clinics and which of Erin Reed's clinics are the same ones. I wanted a process to be able to flag those so I spent a lot of time, a couple weeks, coming up with the right way to check for duplicate clinics. So whenever a new clinic comes in, there's the first piece that determines whether or not it's already in the system and the clinic gets saved if a hash of it hasn't been saved already. Once that happens, a job is sent to the queue worker to say, hey, we need to check for duplicates for this specific clinic. The queue worker will pick up that job, then search the database for nearby clinics using lat-long coordinates as well as checking for clinics with similar names. I spent a bunch of time figuring out how to do geo coordinate stuff with PostgreSQL and with Doctrine, the ORM, because I needed to do database searches on lat long coordinates. I found a PostgreSQL extension, PostGIS, that allows you to store lat long coordinates and the extension will generate metadata that can be used to perform distance checks and more advanced geographical searches. Probably most lat long operations you could think of are implemented in this PostgreSQL extension. In this case, I was mostly interested in just the distance between two points. I was able to efficiently search my data to find what clinics were within a half mile or a mile of the new clinic that was imported. And the next piece was, once I find clinics that are nearby to each other, how do I get as close as I can be, to know if they're duplicates or not? So I landed on a solution with help from my brother. He was very, very helpful in picking out a strategy that I could use to compare two different strings – a comparison technique called Levenshtein. Levenshtein is a method of counting the number of additions, modifications and removals you have to make to a string to make it look like another string. Kind of like the distance between two strings; the changes you have to make, like do you add a character, do you remove a character, do you change a character to make two strings the same? I used a PHP implementation of Levenshtein to do those string comparisons for the final judgment of “How likely are these two clinics to be the same?”

Jeremy:

Your last filter.

Alena:

I've had very good success. I have had very few false positives and have made the system automatically flag duplicates for me to review and then deal with. I added some UI where you could review the duplicates that the system flagged and be able to resolve them by picking one of them to save. So I just have to log in every so often to the system to see if any duplicates were found. There are a couple of resolution steps to do, rather than having to go through all the data either by hand or with a script. [Editor's note: I wonder if you could do this with makefiles and cron jobs.]

Jeremy:

Right. That makes sense. Is that what's in the — where do you exactly do that? Is that what's in the admin page? I know [it] exists, but I can't see [it].

Alena:

So yeah, on the admin page, there's a view of how many clinics have been collected in total, how many new clinics have been recently pulled in, and how many unpublished clinics there are. Because when new clinics are pulled in, they don't get automatically enabled in the search. I have to manually review them and say yes to them, as well as the duplicates the system flagged. There's a quick link to just jump to the list of different duplicates.

Jeremy:

Makes sense. Your review queue of sorts.

Alena:

Yeah.

Jeremy:

Certainly quite a struggle. I didn't even think about all the data pre processing that you have to do to keep your dataset up to date.

Alena:

Oh, there's a lot of data pre processing, not even just pulling in the the clinics themselves, but also – how do you pull in the data used to search the clinics? Like if a user wants to search via a zip code or they want to search via a city, how is my system supposed to know what's a city in the world? Or how should a city be converted to lat long coordinates? Or how do you get from a zip code to lat long coordinates?

Jeremy:

😰

Alena:

So I had to look for open data sets of cities in the United States and zip codes. I landed on an open data set called GeoNames that has a couple fairly large data sets. They take about a half hour to fully import. I had to write some console commands to pull down the zip files for them, process all the rows, and actually link everything up. And that takes about a couple gigs worth of data. So it takes about 20, 25 minutes or so.

Jeremy:

Sure. Oh, wow.

Alena:

And so there's not just pulling in the clinics, but also pulling in those data sets to actually have what's needed to do the actual text search, or zip code search.

Jeremy:

Right. Oh, my. 😳 You have to be able to speak the same language, you know? You need one metric by which you can judge things. Getting everything nice and unified like that must be an insane amount of work to do, [especially] invisibly, under the hood.

Alena:

Yeah, when you type in your location, a zip code or a city, your search isn't going to anyone else. My server has all of the locations saved in a couple database tables that I can query in MySQL. I keep trying to say MySQL. I work in MySQL too much. So PostgreSQL queries just run to compare the search to any of the stored locations.

Jeremy:

Hmm, right. I noticed that code. That was really interesting. The code where the users location that they put in gets compared to a distance check. That little query you did in there was really interesting.

Alena:

It's not exactly perfect. The actual city name search needs some work. It doesn't always perfectly translate a search because it's using a likeness check in PostgreSQL to do fuzzy string matches to try to get as close to cities as it can. It works a lot of the time, but try St. Paul, for example. The database is storing it as S-A-I-N-T Paul. But... a lot of times someone who might be searching for St. Paul might just type in S-T dot Paul. That will not pull up the autocomplete on the site. It won't autocomplete to St. Paul, Minnesota right away. So that is one area for improvement, say, abbreviations of city names. Or maybe even there needs to be a component that is able to auto convert those abbreviations into full names. You could get very magical with what's going on to actually convert that user input. I may have just given myself an idea for how to improve that.

Jeremy:

Oh boy! Looks like we need more datasets!! 😆

Alena:

I might need some more collaboration here 😅 This conversation has been helpful 🙂

Jeremy:

That is pretty cool. You know, the search part of it is interesting. If I had to make a suggestion, I think a ranking system of sorts would be a super [useful feature]. I have no clue how you'd implement it, but it would be nice, you know? Because when I type in Minneapolis, the first thing comes up is Minneapolis, Kansas - And I'm like, what? Who cares about Minneapolis, Kansas? 🙄 There should be some kind of metric to [say] “I know what the most important Minneapolis is”. Maybe by population of the city.

Alena:

😂 That's true, that's true. I think I could be wrong, but I'm pretty sure that there are population values in the Geonames dataset. I'm pretty sure that might be something that can be pulled in.

Jeremy:

Well, because of this one single tiny nitpicky flaw, your app is terrible. 😤 Absolutely, you know, worst app ever. Not worth using. And you used PostgreSQL instead of the obviously based, glorious, much better MySQL.

Alena:

Daddy Oracle.

Jeremy:

How dare you? 😠

Alena:

Big Daddy Oracle. 😏

Jeremy:

🤣 [Only] praise [allowed]! I will accept no Oracular slander in this house. Could you tell me more? I know so little about the database side of things. Why PostgreSQL over, say, MariaDB?

Alena:

Honestly, I knew that PostgreSQL is quite big in the open source space. And I kind of wanted a chance to try it, give it a spin. I kind of figured, “Well, if things are not working super well, within the first few weeks or so, it wouldn't be too hard, using an ORM, to switch from PostgreSQL to MySQL, or back to, say, MariaDB. I haven't had any personal experience with MariaDB. I've been told that it's kind of like a drop-in replacement for MySQL, which would be great to have that same kind of syntax and functionality that I expect. Just minus, you know, the Big Daddy Oracle. 😁

Jeremy:

Right. 😆

Alena:

I kinda wanted to take PostgreSQL for a spin.

Jeremy:

Give it a shot. Yeah, why not?

Alena:

So far, I haven't run into any performance or specific lack of functionality that it didn't have compared to other relational database servers. I'm quite happy with PostgreSQL. On another note, on what you said earlier – we should totally make an app called OpenSpores, a mushroom identification app with an open data set, where you can input different mushroom features and narrow down which shroom you're looking at.

Alena:

😂

Jeremy:

You know, maybe some computational photography stuff, although that gets kind of icky and proprietary.

Alena:

😔

Jeremy:

Who knows. Just food for thought and thought about food.

Alena:

Maybe we will have to make our own machine learning model for identifying mushrooms and make our own Friday night hack project of a mushroom identifier.

Jeremy:

Perhaps, perhaps. It's certainly an option. I think there's certainly some intersectionality. Anyone interested in networking should be interested in mushrooms, I think.

Alena:

😆

Jeremy:

Perhaps that's just me. You know, we need more alternatives to these hot technologies. They're so, so proprietary. I really like especially how this app... it feels professional.

Alena:

Oh, thank you. ☺️

Jeremy:

You wouldn't think it was made by a single person.

Alena:

Oh, thank you. 😊

Jeremy:

[You'd think it was made by a] team subdivision of, I don't know, some sort of activist group.

Alena:

Someone told me my app look quite corporate. 🤣

Jeremy:

Oh! 😵 Oh no.

Alena:

And I'm like, oh, no! 😅

Jeremy:

Oh, no, no. I'll make you a style sheet to make it look like a dive bar. I'll add some Web 1.0 flair.

Alena:

Excellent.

Jeremy:

But, you know, it's cool to see this sort of... grassroots free software activism in the place of more traditional, official, state or corporate offerings. And it's kind of a radical model you have here. Do you have any other areas of social malaise that you think would benefit from similar projects like this? from active open source [development]? What do you think needs to be made less proprietary, if you could choose?

Alena:

Things that could be made less proprietary... 🤔 My focus has been tools for the LGBTQ space. I'm sure there could be quite a lot more search tools created for all sorts of different specialized medical care. But for any particular applications, what would I like to see more open source of? hmm...

Jeremy:

I mean, for my money, I talked – like a year ago – to my boyfriend about making a open source gay dating app. But Lord knows [certain reactionary] heterosexual people would riot if they found out that was a thing. 😒

Alena:

😞 I'm sure there's a plethora of great ideas that could be used for that. Just even glancing at my phone – I'm using a proprietary medication tracker app. I'd love it if there was something I could use that had a good hook into a federal medication database, to allow me to quickly add meds without all of the proprietary, nasty tracking features that are probably going on under the hood.

Jeremy:

Mozilla released their report last year – Privacy Not Included – that talked about all these different apps in the Google Play store and how the permissions that the [Play store page] said the app would need had no correlation with the actual privacy policies on the apps' website. I saw an email a few months ago [from them] – they've done updates on this since, and the worst performing section probably shouldn't be any surprise: Mental health apps.

Alena:

Geez.

Jeremy:

People who need care? Tell me all your deepest secrets so that I can monetize them. Doesn't that sound fun? 🤑

Alena:

That's... kind of disheartening to hear. 😞 Well, if anyone has any ideas to make good mental health apps, that sounds like something that could benefit from a new contender in this space, a new free contender.

Jeremy:

For sure. Definitely.

Alena:

Or paid.

Jeremy:

Or paid!

Alena:

I'm not against paid open source applications.

Jeremy:

Yeah. Open core or other models. NOOO!! You must starve for your work. 😈 Absolutely. You know, I'd love to do something similar [to] this – make some kind of contribution to the queer community in my... tech bro way. You know, convince them I'm on their side.

Alena:

Yeah.

Jeremy:

It would be nice to [perhaps] fork this and do something with that, maybe with a different data set. I like the idea of a locator app of things that are mappable. It makes it very tangible, you know.

Alena:

This application is GPL 3.0, sooo have at it! 🥳

Jeremy:

Hey, there we go! Well, it seems like all the work was in the dataset preparation anyway.

Alena:

Reskin it. Go for it.

Jeremy:

All right. Perhaps I will. That could be kind of fun. 🙂

Welcome to Cyberia Chats!

This is the start of an interview series here at Cyberia where I, your host, Bread, will be interviewing members of the Cyberia Computer Club about projects they've been working on. The folks here at Cyberia write some top-notch software – often with little to no recognition! They deserve better. We have an enormous wealth of talent here, just dying to shine.

Hopefully, these talks will inspire folks in Cyberia to contribute to each other's projects, or maybe just take a look at the code, or perhaps just talk to each other a bit more. Here to begin the conversation with me is Alena, the talented developer of mychoicehrt.org, an open source website that trans folks can use to find nearby healthcare centers.

We (meticulously!) edited this interview for clarity. If you'd like to hear the original interview, or see the original transcript generated by Whisper, DM me on Matrix at @breadzeppelin:cyberia.club.

---

Jeremy:

And hello there! We are live with our very first Cyberia Chat. This is an interview series that I, Bread here, hope to start – where we do deep dives into the amazing projects that all the talented folks in Cyberia are working on and have worked on to try to pick their brains to get a sense of what motivates them – so that they can feel like they're part of the community, that people care about their work, you know? I mean, so much of my whole career is spent doing meaningless bullshit work that no one will ever appreciate, so I'd hope that we developers... [I'd hope that] the stuff that we're doing outside of work gets appreciated, you know?

Alena:

Yeah, it takes a lot of energy to, if you have a full-time job, really put in that same level of effort in another project, because there's always the fear that you're gonna...burn out on that specific type of skill, you know? I feel that it's important to recognize when you're using a skill too much, or pushing yourself too hard – because it's a lot.

Jeremy:

No, what are you talking about? It's easy! It only took you 196 commits... Nooo, it's nothing.

Alena:

😆 You know, over the course of like three months.

Jeremy:

No, whatever!

Alena:

Working full-time on it. I quit my job to do this for three months.

Jeremy:

🤣 Oh my god.

Alena:

😂

Jeremy:

Maybe you'll get some new folks on Ko-Fi or something after this. I hope so, Alena. I've always thought this was a pretty... this was one of those things that when I saw it, I was like, “Whoa! Why is everyone not freaking out? This is crazy! Is no one... what? Is no one...?”

Alena:

I hope that I'll get a small amount of traffic, and I hope that the site has been useful and is working for the folks that have found it.

Jeremy:

I hope so too, you know? I hope you're getting some good user feedback and all that. That'd be cool. I feel like you're making a difference in the community. I guess that is your goal, right?

Alena:

Yeah.

Jeremy:

Could you tell me what drew you to this issue and how you got inspired to start this [project] in the first place?

Alena:

Yeah, so I've been following the whole legislative storm of different bills that are either restricting or completely outright banning certain types of care in the United States. And specifically, I feel passionate about following what's going on with transgender care and informed consent medical care. I've been following an activist named Erin Reed who provides resources for keeping up-to-date on legislation that affects the transgender community. She also maintains a list of about 900 or so informed consent clinics in the US, which is a colossal amount of work for one person to do.

Jeremy:

That's just one person!? 😳

Alena:

Yeah, clinics in the US and a handful of clinics in a couple of other countries too. It's a very large data set that I've been following for a while. My idea was to see if there was a way to help people search it a little easier, to be able to enter just a couple of location details and have it instantly pull up a list of the clinics from the data set – to make using that resource even easier. Since Erin's map uses Google My Maps, it lacks the same features that you would typically think of Google Maps to have, like searches using your location or advanced searches for things near me. If you want to find clinics near to you on the map, you have to know where you are and find your location which involves scanning over the map to find your region or knowing the latitude and longitude of your town. Then it's a process of visually finding what clinics are close enough. So my goal is to remove that step of having to manually search the map and quickly pull up the closest informed consent clinics. The project first started as pulling in all the clinics from Erin Reed's map to catalog them and make them searchable, but it kind of grew a little more from there.

Jeremy:

Ooooh!

Alena:

I was thinking I could also pull in other data sources as well. I added one other data source to my website, which is the Southern Equality Trans in the South list of transgender care providers. My site is only importing their informed consent clinics, but they have a whole lot of other resources not just confined to informed consent clinics. They have a search interface to find more transgender – even general LGBTQ+ friendly – care; they might be a resource to look for.

Jeremy:

Glad you're shouting them out. Pretty impressive. You know, a good amalgamation of very important, relevant data sets, you know, data science and data sets... These are words that sound so abstract, I feel like, to a lot of people – but no, this is useful, you know? And this is the kind of thing where inaccessible, bad UX gets in the way of people, especially with the earlier thing, the Erin Reeds map, you know, Google user map. Poorly integrated, old Google project....

Alena:

😅 Yeah. People could do with a little less Google tracking them, especially when it comes to medical care.

Jeremy:

🤯 Whoa – that's also a good point. Privacy side of things. Better to just have your resource, which, you know, is open source. People can see it [without fear of being tracked]. They can deploy the web app themselves, I guess, in theory. But yeah, that's awesome. I didn't realize that that whole Erin Reed dataset was compiled by [just] that one person.

Alena:

Yeah, Erin is doing an immense amount of work and should be applauded for it - because they are still maintaining that map and still doing very, very good work.

Jeremy:

It's not over.

Alena:

Yeah. The goal is a resource you can quickly find clinics on, quickly find the care you need, all while not having any kind of tracking in the midst. My site's not tracking anyone who comes to it. Well, with the exception of the contact feedback form - Whether HCaptcha is doing any, you know, any particular logging of HTTP traffic when the CAPTCHA handshake is going on – that's the part I'm not as confident about 😬 But at least the main search interface -

Jeremy:

Woooooow. Wooow! 😂 Interview over. Terrible app; not private.

Alena:

Oh no. It's all gone. It's all gone.

Jeremy:

Game over, Alena.

Alena:

It's game over now.

Jeremy:

Why'd you blow it like that? 😆

Alena:

Oh, I know. I know. 😅 I wanted to try to keep bots from spamming my contact form. So I was like, “Dang it! The tried and tested CAPTCHA service.” I suppose one could host their own CAPTCHA. I'm sure there has to be some self-hosted option.

Jeremy:

Doesn't Forrest has his own CAPTCHA service? Maybe you can switch to using that.

Alena:

Ooh, there we go. There we go. Gotta get in contact with Forest.

Jeremy:

Right, see!? 🤩 This is why we need more cross-pollination, you know? We have our own Cyberia toolkits going on.

Alena:

Oooooh – Cyberia CAPTCHA! 😄

Jeremy:

Hey-ooo 🤯

Alena:

Hosted on Capsul. Woo! 🎆

Jeremy:

CAPTCHA on Capsul. Oh snap. Alright, now we're cooking... but let's move on. Glad to hear the grounding here – fighting for something you care about.

Alena:

Yeah :D

Jeremy:

This is a field where privacy really matters. I remember last year when Roe v. Wade got overturned because, you know, we live in a 10th, 11th world country -bottom of the barrel country court system; but I digress. You know, when that was overturned, everyone started freaking out about their period trackers [and] stuff like that.

Alena:

Rightly so, because there's a lot of those medical-oriented applications that are logging all of that data – and while a lot of them might not be blatantly using it for tracking that specific user, those are just goldmines of people's personal health information, too – if those ever get leaked, and if there's anything personally identifiable in them, that's not good, to put it lightly. Yeah.

Jeremy:

Overnight, I feel like, a lot of people went from, “Oh, who cares about my data? Everyone has all of my data,” to “Oh my god, wait, I really need some privacy right now[^1],” especially if you are a woman. <sarcasm> And, you know, trans people, well, lord knows, they're certainly not under attack anywhere. Noooo, no, definitely not. </sarcasm>

Alena:

Yikes. It's a tough time.

Jeremy:

It is – but I think that projects like this are important to show that there is good stuff that can happen in the programming space. A lot of the folks I talk to who care about trans rights are generally non-techie people. They're maybe more bookish, artsy types. [In] general, [the] leftist folks I hang out with are oftentimes Luddites. I don't mean to use that [as] a derogatory term.... [I just mean that they're] skeptical of large tech companies. I get that [concern] – so I think it's important that we have stuff like this to [say], “Hey, we can help! Technology is a tool. We can use it. We can do good stuff with it, even if that tool is PHP.” Could you tell me a bit – *bursts into laughter*😆

Alena:

Ooooh. 🤨 “Even if that tool is PHP”? I feel a little attacked here.

Jeremy:

Attacked!? *poorly feigning ignorance* 🤣

Alena:

😆 You know, PHP is—

Jeremy:

All right, tell me about this terrible— na na na 😆 I've been reading some of the docs for PHP, and it seems that PHP has turned around quite a bit in recent years. A lot of new features have been added to the language. It's pretty interesting, some of the stuff that the [language has] these days. I mean, [it has] just-in-time compilation [now]. They're adding Java style [compilation] to PHP. That must be good for performance, right?

Alena:

PHP is slowly, slowly becoming a more strictly typed, less dynamic programming language. Slowly but surely locking things down – adding a full, strict type system in, if you want to use it. Cleaning up older functions and making them more consistent. Making changes under the hood for performance and things like just-in-time compilation. If you have a web server that's written entirely in PHP, without any use of Apache, features like just-in-time compilation can help immensely with those types of applications. So, yeah, there's a lot of modernization going on in the PHP project. ☺️

Jeremy:

Very cool, very cool. I'm sure it must have changed a lot over the years as you've been working [within the ecosystem]. There was quite a lot of neat little aspects of the architecture [that] I saw, [that] I learned about as I was going through this. Stuff like Symfony, and... what's it called, the ORM that you use?

Alena:

Yes, Doctrine.

Jeremy:

Yep, that one. That was pretty interesting. You know, I am someone who is just learning the PHP ecosystem now. It's kind of fun! This is a fun little peek into the [PHP] world to try to learn it[s mysterious ways~]. What are some of your favorite little – in the PHP zone, the PHP space, the environment – what are some interesting little projects happening that have inspired you, as a developer?

Alena:

Ooh... projects in the PHP space that have inspired me... ...well, I started out doing PHP dev just through work. That's how I kind of started out getting into that zone. And a lot of times in the PHP space, there are quite a lot of projects – particularly ones, you know, that aren't kind of using one of the major frameworks. You know, it's quite a lot of times common to see a PHP project built completely from scratch, without any kind of framework.

Jeremy:

Wow. *impressed*

Alena:

So I came from doing PHP without a framework at the start. I learned the language without a lot of the tools like Laravel and Symfony, and even without an ORM tool like Doctrine, to get started. I'm also thinking, like, how much am I allowed to specifically talk about the code base I worked on in my first job? Since it was a proprietary code base.

Jeremy:

Oh, sure, you don't want to have trouble with your former employer.

Alena:

Oh, that good stuff. But yeah, through getting started with PHP through work, I started investigating the Symfony project for a new JSON API. I've always liked building API applications - specifically APIs paired with some kind of other front end layer; whether you're server-side rendering at that layer, or whether you're using a single page app framework. Since I also came from the Java world before PHP, I was drawn to Symfony because it was very, very close in a lot of syntax and structure to the Spring framework in Java.

Jeremy:

Ahhh!

Alena:

That drew me there because I have familiarity with the Spring framework, and it was kind of like, “Oh, I'm back home, but in a language I like a little bit more”. ,*Both Laugh.*

Jeremy:

Watch your toes with just in time compilation! Maybe PHP is turning into Java. Oh, God.

Alena:

Yeah, just in time compilation. It's an interesting topic, because I really think it benefits specific PHP applications that aren't... well, I should probably back up a little bit — The PHP lifecycle. The classic PHP application being the LAMP stack application, where you're using PHP with something like Apache, where Apache has a module that is a PHP module, and Apache has a series of threads and says, “Okay, a request is coming in, I'm going to send it to PHP; PHP will run the code, process the request, spit out a result, and then PHP's done.” So in that typical lifecycle of PHP, PHP starts up, and then it stops. It's not running all the time. It only runs when a request actually comes in. Now, for a server built entirely in PHP... Swoole is one of those ones out there; I think ReactPHP is also a similar kind of application – where the server is entirely built in PHP... ...that's where just-in-time compilation can be very helpful – because the PHP process theoretically is on all the time; thus, the just-in-time compilation is very useful because the application isn't having to bootstrap all the time. It's able to do the parsing of the code base, compile all of that, and have that at the ready throughout the lifecycle of the server. ... That was just a side note; that's probably not particularly super— 😅

Jeremy:

No! That's cool. It's redefining what PHP is, what it can be used for. It really expands the possibilities, and I think it's a smart feature to add. It's certainly one of the one of the selling points of Java, right? I mean, if I was told I could have Java without public static void main(String[] args)-ass boilerplate, I'd be like, “Sweet! Sign me up!”. You could have easily slipped a PHP into my dev world, like parents slip broccoli into their kids' brownies.

Alena:

,*chuckle*

Jeremy:

I would have ate that up. But yeah, maybe PHP just needs a bit of optics help, perhaps.

Alena:

I think what really doesn't help its reputation these days is... Number one, there's all the existing views of PHP as the old, gross, nasty, WordPressy language. I feel like there's a specific stereotype about PHP in that regard. But then two: I feel like PHP could use some better beginner resources, like those that Python has, for example. If you go to Python's official website, there's a very, very simple tutorial for, “Let's get you started with Python!” immediately on the homepage, to get you started with simple code – whereas there's not really anything like that on PHP's official website. It's kind of like you've got to dive in the docs, you've got to find the Getting Started page, you've got to go through the whole rigmarole of installing a CLI interpreter and all of that... where, with a bit of work, the homepage and the Getting Started resources could be streamlined and improved a whole lot. In fact, there is another project, I don't remember the exact name, but there is another project that is working to try to make a better Getting Started guide for new PHP users.

Jeremy:

No way.

Alena:

Yeah, it's a work in progress, I think.

Jeremy:

That's great. I think that's awesome. Accessibility, good documentation, it's the stuff that no dev wants to do if they're doing it for passion, because they just need stuff for themselves. I imagine PHP people often— ...PHP people, there's definitely a recursive acronym you can use for that... But yeah – PHP folks probably think, “Oh, you've been doing this since '97, haven't you? You don't need a beginner's guide.”

Alena:

Oh. 🙃

Jeremy:

I'm glad there are folks who care about that, because that's good, because I've never coded in PHP, and I'm glad I have you [around] to help me out when we get to the next step of this process. That will be pretty cool.

i grew up on my mom's banana bread. it's a great way to use overripe bananas. this recipe was developed from a generic nut bread recipe from her old betty crocker cookbook by both of us making changes along the way.

ingredients

wet mix

• 3 over-ripe bananas [1]
• 1 egg
• 1 cup sugar
• 1 cup oat milk [2]
• 3 tbsp olive oil
• 1 tsp vanilla
• a pinch of salt to taste

dry mix

• 2.5 cups flour
• 3.5 tsp baking powder

fillings (optional)

• up to .5 cup dark chocolate chips, nuts, dates, what-have-you. [3]

steps

pre-heat oven to 350°F and grease a medium-sized loaf pan. combine wet mix and stir/beat until bananas are mostly mashed but still lumpy. sift in dry mix and stir just until combined. do not over-mix. gently fold in your optional fillings. pour the batter into the loaf pan and bake on a center rack for 55 minutes. once done, let it rest for a couple minutes, then turn it out onto a wire rack to cool.

---

footnotes

[1] they should have some brown on the outside, maybe 50%, and be soft. don't use if they're rotten. [2] i don't think the type of milk you use is essential. let me know if you try any others! [3] neither my mom nor i like nuts in baked goods but maybe you do. that's fine.

ingredients

• 2-3 tbsp vegetable oil
• 1 small or medium yellow onion, finely sliced [1]
• 3 cans of different types of beans [2]
• 1 can corn
• 1 can diced tomatoes
• 1 to 1.5 cups chopped carrots
• 1 bell pepper (choose ur favorite color)
• 2 cups vegetable stock

spices [3]

• paprika (regular and smoked)
• cumin
• oregano
• garlic powder
• cinnamon
• basil
• MSG [4]
• black pepper
• white pepper
• cayenne pepper
• salt

steps

1. heat vegetable oil in a large pot.
2. add onions and cook until translucent.
3. stir in spices and cook for another minute or 2.
4. empty all the cans into the pot, add veggies and stock.
5. bring to a boil then let simmer on low for like an hour, loosely covered so steam can vent, stirring occasionally.
6. add salt to taste and enjoy!

---

footnotes

[0] original recipe i based this one off of: https://www.thedailymeal.com/cook/vegetarian-bean-chili [1] size of the onion depends on your preference and FODMAP tolerance. i also threw in a shallot because i had one in the fridge but it probably didn't make much of a difference. [2] i used black beans, garbanzo beans (chickpeas), and great northern beans (about 1 cup after soaking) [3] i just kinda eyeballed the spices, sorry. i tried to put them in order of highest to lowest amount. the ones toward the bottom aren't that important to get right so use whatever you have! [4] you could substitute with extra salt and a pinch of sugar but imo you should really have MSG in your pantry. it Makes Stuff Good™

A fresh start, a blank sheet, untouched digital territory that Cyberia can sully with our awful posts. This is our new blog site. You may sign up for an account; hopefully this will be a place Cyberia users can put their thoughts, share projects in more exhaustive detail, write poetry, whatever strikes your fancy really.

The editor understands markdown and HTML. Play around and see what you can do with it. Documentation is available at the writefreely website, and the writing guide is here. Hopefully bread will add some pretty CSS. Happy writing!

---

Imported from https://cyberia.club/blog Originally published: 2021-12-17

---

rumors of my demise have been greatly exaggerated

Forest 2021-12-17

WHAT IS THIS?

If you're a wondering “what is capsul?”, see:

https://capsul.org

Here's a quick summary of what's in this post:

• cryptocurrency payments are back

• we visited the server in person for maintenance

• most capsuls disks should have trim/discard support now, so you can run the fstrim command to optimize your capsul's disk. (please do this, it will save us a lot of disk space!!)

• we updated most of our operating system images and added a new rocky linux image!

• potential ideas for future development on capsul

• exciting news about a new server and a new capsul fork being developed by co-op cloud / servers.coop

  ~

WHAT HAPPENED TO THE CRYPTOCURRENCY PAYMENT OPTION?

Life happens. Cyberia Computer Club has been hustling and bustling to build out our new in-person space in Minneapolis, MN:

https://wiki.cyberia.club/hypha/cyberia_hq/faq

Hackerspace, lab, clubhouse, we aren't sure what to call it yet, but we're extremely excited to finish with the renovations and move in!

In the meantime, something went wrong with the physical machine hosting our BTCPay server and we didn't have anywhere convenient to move it, nor time to replace it, so we simply disabled cryptocurrency payments temporarily in September 2021.

Many of yall have emailed us asking “what gives??”, and I'm glad to finally be able to announce that

“the situation has been dealt with”,

we have a brand new server and the blockchain syncing process is complete, cryptocurrency payments in bitcoin, litecoin, and monero are back online now!

—> https://capsul.org/payment/btcpay <—

~

THAT ONE TIME CAPSUL WAS ALMOST fsync()'d TO DEATH

Guess what? Yall loved capsul so much, you wore our disks out. Well, almost.

We use redundant solid state disks + the ZFS file system for your capsul's block storage needs, and it turns out that some of our users like to write files. A lot.

Over time, SSDs will wear out, mostly dependent on how many writes hit the disk. Baikal, the server behind capsul.org, is a bit different from a typical desktop computer, as it hosts about 100 virtual machines, each with thier own list of application processes, for over 50 individual capsul users, each of whom may be providing services to many other individuals in turn.

The disk-wear-out situation was exacerbated by our geographical separation from the server; we live in Minneapolis, MN, but the server is in Georgia. We wanted to install NVME drives to expand our storage capacity ahead of growing demand, but when we would mail PCI-e to NVME adapters to CyberWurx, our datacenter colocation provider, they kept telling us the adapter didn't fit inside the 1U chassis of the server.

At one point, we were forced to take a risk and undo the redundancy of the disks in order to expand our storage capacity and prevent “out of disk space” errors from crashing your capsuls. It was a calculated risk, trading certain doom now for the potential possibility of doom later.

Well, time passed while we were busy with other projects, and those non-redundant disks started wearing out. According to the “smartmon” monitoring indicator, they reached about 25% lifespan remaining. Once the disk theoretically hit 0%, it would become read-only in order to protect itself from total data loss. So we had to replace them before that happened.

https://picopublish.sequentialread.com/files/smartmon_dec2021.png

We were so scared of what could happen if we slept on this that we booked a flight to Atlanta for maintenance. We wanted to replace the disks in person, and ensure we could restore the ZFS disk mirroring feature.

We even custom 3d-printed a bracket for the tiny PCI-e NVME drive that we needed in order to restore redundancy for the disks, just to make 100% sure that the maintenance we were doing would succeed & maintain stability for everyone who has placed thier trust in us and voted with thier shells, investing thier time and money on virtual machines that we maintain on a volunteer basis.

https://picopublish.sequentialread.com/files/silly-nvme-bracket2.jpg

Unfortunately, “100% sure” was still not good enough, the new NVME drive didn't work as a ZFS mirroring partner at first ⁠— the existing NVME drive was 951GB, and the one we had purchased was 931GB. It was too small and ZFS would not accept that. f0x suggested:

[you could] start a new pool on the new disk, zfs send all the old data over, then have an equally sized partition on the old disk then add that to the mirror

But we had no idea how to do that exactly or how long it would take & we didn't want to change the plan at the last second, so instead we ended up taking the train from the datacenter to Best Buy to buy a new disk instead.

The actual formatted sizes of these drives are typically never printed on the packaging or even mentioned on PDF datasheets online. When I could find an actual number for a model, it was always the lower 931GB. So, we ended up buying a “2TB” drive as it was the only one BestBuy had which we could guarantee would work.

So, lesson learned the hard way. If you want to use ZFS mirroring and maybe replace a drive later, make sure to choose a fixed partition size which is slightly smaller than the typical avaliable space on the size of drive you're using, in case the replacement drive was manufactured with slightly less avaliable formatted space!!!

Once mirroring was restored, we made sure to test it in practice by carefully removing a disk from the server while it's running:

https://picopublish.sequentialread.com/files/zfs_disk_replacement/

While we could have theoretically done this maintenance remotely with the folks at CyberWurx performing the physical parts replacement per a ticket we open with them, we wanted to be sure we could meet the timeline that the disks had set for US. That's no knock on CyberWurx, moreso a knock on us for yolo-ing this server into “production” with tape and no test environment :D

The reality is we are vounteer supported. Right now the payments that the club receives from capusl users don't add up to enough to compensate (make ends meet for) your average professional software developer or sysadmin, at least if local tech labor market stats are to be believed.

We are all also working on other things, we can't devote all of our time to capsul. But we do care about capsul, we want our service to live, mostly because we use it ourselves, but also because the club benefits from it.

We want it to be easy and fun to use, while also staying easy and fun to maintain. A system that's agressively maintained will be a lot more likely to remain maintained when it's no one's job to come in every weekday for that.

That's why we also decided to upgrade to the latest stable Debian major version on baikal while we were there. We encountered no issues during the upgrade besides a couple of initial omissions in our package source lists. The installer also notified us of several configuration files we had modified, presenting us with a git-merge-ish interface that displayed diffs and allowed us to decide to keep our changes, replace our file with the new version, or merge the two manually.

I can't speak more accurately about it than that, as j3s did this part and I just watched :)

~

LOOKING TO THE FUTURE

We wanted to upgrade to this new Debian version because it had a new major version of QEMU, supporting virtio-blk storage devices that can pass-through file system discard commands to the host operating system.

We didn't see any benefits right away, as the vms stayed defined in libvirt as their original machine types, either pc-i440fx-3.1 or a type from the pc-q35 family.

After returning home, we noticed that when we created a new capsul, it would come up as the pc-i440fx-5.2 machine type and the main disk on the guest would display discard support in the form of a non-zero DISC-MAX size displayed by the lsblk -D command:

localhost:~# sudo lsblk -D NAME DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO sr0 0 0B 0B 0 vda 512 512B 2G 0

Most of our capsuls were pc-i440fx ones, and we upgraded them to pc-i440fx-5.2, which finally got discards working for the grand majority of capsuls.

If you see discard settings like that on your capsul, you should also be able to run fstrim -v / on your capsul which saves us disk space on baikal:

welcome, cyberian ^(;,;)^ your machine awaits

localhost:~# sudo lsblk -D NAME DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO sr0 0 0B 0B 0 vda 512 512B 2G 0

localhost:~# sudo fstrim -v / /: 15.1 GiB (16185487360 bytes) trimmed

^ Please do this if you are able to!

You might also be able to enable an fstrim service or timer which will run fstrim to clean up and optimize your disk periodically.

However, some of the older vms were the pc-q35 family of QEMU machine type, and while I was able to get one of ours to upgrade to pc-i440fx-5.2, discard support still did not show up in the guest OS. We're not sure what's happening there yet.

We also improved capsul's monitoring features; we began work on proper infrastructure-as-code-style diffing functionality, so we get notified if any key aspects of your capsuls are out of whack. In the past this had been an issue, with DHCP leases expiring during maintenance downtimes and capsuls stealing each-others assigned IP addresses when we turn everything back on.

capsul-flask now also includes an admin panel with 1-click-fix actions built in, leveraging this data:

https://git.cyberia.club/cyberia/capsul-flask/src/commit/b013f9c9758f2cc062f1ecefc4d7deef3aa484f2/capsulflask/admin.py#L36-L202

https://picopublish.sequentialread.com/files/admin-panel.jpg

I acknowledge that this is a bit of a silly system, but it's an artifact of how we do what we do. Capsul is always changing and evolving, and the web app was built on the idea of simply “providing a button for” any manual action that would have to be taken, either by a user or by an admin.

At one point, back when capsul was called “cvm”, everything was done by hand over email and the commandline, so of course anything that reduced the amount of manual administration work was welcome, and we are still working on that today.

When we build new UIs and prototype features, we learn more about how our system works, we expand what's possible for capsul, and we come up with new ways to organize data and intelligently direct the venerable virtualization software our service is built on.

I think that's what the “agile development” buzzword from professional software development circles was supposed to be about: freedom to experiment means better designs because we get the opportunity to experience some of the consequences before we fully commit to any specific design. A touch of humility and flexibility goes a long way in my opinion.

We do have a lot of ideas about how to continue making capsul easier for everyone involved, things like:

1. Metered billing w/ stripe, so you get a monthly bill with auto-pay to your credit card, and you only pay for the resources you use, similar to what service providers like Backblaze do.

(Note: of course we would also allow you to pre-pay with cryptocurrency if you wish)

1. Looking into rewrite options for some parts of the system: perhaps driving QEMU from capsul-flask directly instead of going through libvirt, and perhaps rewriting the web application in golang instead of sticking with flask.

2. JSON API designed to make it easier to manage capsuls in code, scripts, or with an infrastructure-as-code tool like Terraform.

3. IO throttling your vms: As I mentioned before, the vms wear out the disks fast. We had hoped that enabling discards would help with this, but it appears that it hasn't done much to decrease the growth rate of the smartmon wearout indicator metric. So, most likely we will have to enforce some form of limit on the amount of disk writes your capsul can perform while it's running day in and day out. 80-90% of capsul users will never see this limit, but our heaviest writers will be required to either change thier software so it writes less, or pay more money for service. In any case, we'll send you a warning email long before we throttle your capsul's disk.

And last but not least, Cybera Computer Club Congress voted to use a couple thousand of the capsulbux we've recieved in payment to purchase a new server, allowing us to expand the service ahead of demand and improve our processes all the way from hardware up.

(No tape this time!)

https://picopublish.sequentialread.com/files/baikal2

Shown: Dell PowerEdge R640 1U server with two 10-core xeon silver 4114 processors and 256GB of RAM. (Upgradable to 768GB!!)

~

CAN I HELP?

Yes! We are not the only ones working on capsul these days. For example, another group, https://coopcloud.tech has forked capsul-flask and set up thier own instance at

https://yolo.servers.coop

Thier source code repository is here (not sure this is the right one):

https://git.autonomic.zone/3wordchant/capsul-flask

Having more people setting up instances of capsul-flask really helps us, whether folks are simply testing or aiming to run it in production like we do.

Unfortunately we don't have a direct incentive to work on making capsul-flask easier to set up until folks ask us how to do it. Autonomic helped us a lot as they made thier way through our terrible documentation and asked for better organization / clarification along the way, leading to much more expansive and organized README files.

They also gave a great shove in the right direction when they decided to contribute most of a basic automated testing implementation and the beginnings of a JSON API at the same time. They are building a command line tool called abra that can create capsuls upon the users request, as well as many other things like installing applications. I think it's very neat :)

Also, just donating or using the service helps support cyberia.club, both in terms of maintaing capsul.org and reaching out and supporting our local community.

We accept donations via either a credit card (stripe) or in Bitcoin, Litecoin, or Monero via our BTCPay server:

https://cyberia.club/donate

For the capsul source code, navigate to:

https://git.cyberia.club/cyberia/capsul-flask

As always, you may contact us at:

mailto:support@cyberia.club

Or on matrix:

#services:cyberia.club

For information on what matrix chat is and how to use it, see: https://cyberia.club/matrix

Forest 2021-12-17

COVIDaware MN app investigation

---

Imported from https://cyberia.club/blog Originally published: 2020-11-27

---

starless 2020-11-27

Greetings to Netizens and Minnesotans!

It's your friendly neighborhood Cyberians here with an update on the new COVIDaware app as announced by the Governor.

You might be wondering: “Hey, how bullshit is this app? Will it track me when I sleep, will it tell the cops where I am for no good reason, will it take my firstborn son?”

We were wondering these things, too. We're hard at work finding answers to all these questions and more, and due to the urgent nature of the pandemic, wanted to give you an update.

Recently, the state of Minnesota released an app to help manage COVID-19 contact tracing, The COVIDaware MN app is based on an open source foss app for something called 'contact tracing', which helps people backtrack the places they've been in the last two weeks, should they later learn that they were contagious but pre-symptomatic for COVID-19. Due to the delicate nature of this sort of app, we reached out to the folks who wrote the open source app that COVIDaware MN is based on, and got a handful of helpful replies back.1 We also reached out to the state of Minnesota, but haven't gotten a response yet.2

The app that COVIDaware is based on is very privacy-friendly and the company behind it seems to have good values, but we still don't know exactly how much that source code was customized before it was released for use by Minnesotans. It's likely that the state's IT folks just added the appropriate assets to customize links to the local health department and that sort of thing, but we won't know that for sure without a response to our inquiry. There's a chance they've inadvertently done more than that, too— we'd love to read over the source code and check the modifications the state of Minnesota made to the FOSS base app.

We'll let you know when we hear back from the state, but for now, the base app looks very promising.

Additionally, should it become feasible (likely dependent on the state of Minnesota releasing the source code for the app), we're already hoping to be an alternative source for the official app, should you prefer something that's built on hardware not managed by the state of Minnesota.

We hope to hear back from our fair state government soon, and until then, wish you all a warm & safe holiday season!

source code: https://github.com/Path-Check/gaen-mobile

---

Imported from https://cyberia.club/blog Originally published: 2020-05-20

---

Forest 2020-05-20

WHAT'S NEW IN CAPSUL?

Capsul has been operated by hand so far, with business conducted via email. Obviously, this isn't the best user experience. If no one is on the other end at the time, the user might feel as if they are shouting into the void.

Ideally, users could pay for service, create and destroy capsuls, and monitor their capsul's status at any time.

So we set out to create an application enabling that, while keeping things as simple as possible. As of today, you can experience it firsthand!

—> https://capsul.org/ <—

WHAT IS CAPSUL? WHY WOULD ANYONE DO THAT?

Capsul started out as a “for fun” project to host multiple VMs with different operating systems on the same physical server.

A cloud compute provider experiment to find out:

• How hard is it to build basic compute-as-service functionality that has been mythologized and commoditized by some of the biggest software businesses of all time.

• What problems have to be solved in order to do this at a small scale?

• And last but not least, how much better-than-the-big-boys can we do? :P

I heard about Capsul and I thought, cool, why not.

At first, I was slightly dismissive of the project — why re-invent the wheel? There are lots of established tools for creating cloud services already out there, surely they would be hard for us to measure up to.

Of course, you could argue, that's not the point. It's all about the journey, popping the hood and learning how things are put together.

But on the other hand, Capsul is something that we want to use, not just a pet project.

Can I depend on it?

/⁀\ _/‾⁀|, (‾‾____‾‾) | xx . .| / \ | [ >)
/ \ | ‶` ‾ |
I WANT TO BELIEVE | (X) DOUBT

Whether excited or doubtful, the tone of the question expresses the real utility and risk associated with DIY.

We have to make our own seat belts for this, an experience and practice that I personally feel is highly under-rated.

I don't want to give up and just leave it to the experts.

I want to build the confidence necessary to make my own systems, and to measure thier stability and efficacy.

(_/) [. .] ==<.>==

“ Anyone can Cook “

It probably helps that I've never seen a friend get hurt because of a flaw in something I designed, but even if I had, I'd like to think that I'd continue believing in the idea that technology is never “beyond” us. I could never make it through Technoholics Anonymous, because I'd never be able believe a Higher Power will restore sanity to the machine and save us from ourselves.

ABOUT THE DEVELOPMENT PROCESS

First step was to chose a language and framework. We made this decision (Python 3, Flask) almost entirely based on which language was the most commonly known in our group. I was the only one who had never used Python before, and I felt up to the task of learning a language as a part of this process.

Next, we had to decide how the system would work.

How would we secure user's accounts? How would users pay for capsuls? Would it be like a subscription, would you buy compute credits, or a receive a bill at the end of the month?

In the interest of simplicity, we opted to use a tumblr-style magic-link login instead of requiring the user to provide a password. So, you have to receive an email and click a link in that email every time you log in.

We also decided to go with the “purchase credits, then create capsul” payment workflow, because it was the easiest way we could accept both credit card and cryptocurrency payments, and we believed that requiring the user to pay first was an appropriate level of friction for our service, at least right now.

I had never worked on a project that integrated with a payment processor or had a “dollars” column in a database table before. I felt like I worked at the Federal Reserve, typing

INSERT INTO payments (account, dollars) VALUES ('forest', 20.00);

into my database during development.

The application has three backends:

• a postgres database where all of the payment and account data is stored

• the virtualization backend which lifecycles the virtual machines and provides information about them (whether or not they exist, and current IP address)

• Prometheus metrics database which allows the web application to display real-time metrics for each capsul.

All of the payments are handled by external payment processors Stripe and BTCPay Server, so the application doesn't have to deal with credit cards or cryptocurrency directly. What's even better, because BTCPay Server tracks the status of invoices automatically, we can accept unconfirmed transactions as valid payments and then rewind the payment if we learn that it was a double-spend attack. No need to bother the user about Replace By Fee or anything like that.

The initial development phase took one week. Some days I worked on it for 12+ hours, I think. I was having a blast. I believe that the application should be secure against common types of attacks. I kept the OWASP Top 10 Web Application Security Risks in mind while I was working on this project, and addressed each one.

1. Injection We use 100% parameterized queries, and we apply strict validation to all arguments of all shell scripts.

2. Broken Authentication We have used Flask's session implementation, we did not roll our own sessions.

3. Sensitive Data Exposure We do not handle particularly sensitive data such as cryptocurrency wallets or credit card information.

4. XML External Entities (XXE) We do not parse XML.

5. Broken Access Control We have added the user's email address to all database queries that we can. This email address comes from the session, so hopefully you can only ever get information about YOUR account, and only if you are logged in.

6. Security Misconfiguration We made sure that the application does not display error messages to the user, we are not running Flask in development mode, we are not running Flask as the root user, the server it runs on is well secured and up to date, etc.

7. Cross-Site Scripting (XSS) We apply strict validation to user inputs that will be represented on the page, whether they are path variables, query parameters, form fields, etc.

8. Insecure Deserialization We use the most up-to-date json parsing from the Python standard library.

9. Using Components with Known Vulnerabilities We did check the CVE lists for any known issues with the versions of Flask and psycopg2 (database connector), requests, and various other packages that we are using, although automating this process would be much better going forward.

10. Insufficient Logging & Monitoring We may have some room for improvement here, however, verbose logging goes slightly against the “we don't collect any more data about you than we need to” mantra.

If you would like to take a peek at the code, it's hosted on our git server:

https://git.cyberia.club/cyberia/capsul-flask

---

Imported from https://cyberia.club/blog Originally published: 2020-05-01

---

Subject: Cyberia Services Update: 2020-04 From: j3s Date: 01/05/2020

Ohai,

A lot has happened in services-land this month, and I'm hoping to pack as much of it as I can into this email. I will try to be brief, as there is a lot to cover. I'll also probably miss some stuff, woops!

Capsul ======

We added many new subscribers and many new features to Capsul this month, both technical and financial.

• OpenBSD 6.6 support Hello puffy! We now fully support OpenBSD 6.6 as an operating system choice on Capsul, and will support future releases of OpenBSD as well.

• Streamlined BTC/XMR payments Pay with bitcoin or monero? There is now a simple payment processor you may use to make donations or pay for Capsuls. See https://cyberia.club/donate for details.

• Guix System 1.1.0 support Guix System support is very near completion! There is one bug left to squash before it's available as a fully supported option! :D

• IPv6-only support Soon, you will be able to purchase IPv6-only Capsuls at a $2 per month discount from IPv4 prices.

• Cheaper base prices Pricing will very soon be heavily revised, and all Capsuls will be cheaper. Existing customers will be refunded the difference between the price they paid and the new Capsul price.

• À la carte disk size selection

  • All instances will start with a fully backed-up 10GB root volume.
  • We will be capable of taking variable disk size requests at 0.2c per GB per month! You are no longer stuck with the disk size your instance came with.
  • These additional disks are not covered by our backup schedule, otherwise we'd run out of disk space almost instantly :D we may offer a paid backup system for these additional disks in the future.

A huge thank you to our early Capsul users, I hope that everything has been running smoothly for you.

Nullhex =======

I have not focused on Nullhex much throughout April, but I do have some exciting ideas to share. Hit me up if you're interested.

• Reputation Nullhex emails are no longer marked as spam by Protonmail or Gmail, our domain reputation has grown substantially.

Matrix ======

Matrix has cemented itself as the center of our communication platform. If you aren't there already, feel free to register at https://matrix.cyberia.club and join the conversation.

If you don't like Matrix for some other reason, email me directly and we can figure out a way to bridge you into our conversations.

• Backend updated The backend has been updated & now supports cross-signing.
• Bridging We are considering bridging specific Matrix rooms with specific Discord rooms; more to come on this front.

Riot ====

• End to end encryption by default Riot-web is receiving an update next week™ that enables end to end encryption and cross-signing by default for all private conversations. Please prepare thyselves! More deets: https://lists.cyberia.club/~cyberia/ops/%3C126414c4-80bc-1d49-570e-cf3eba9e8362%40c3f.net%3E

• New preferences There are two new potentially userful riot-web preferences, in case you may have missed them:

  • sort rooms alphabetically
  • auto-syntax-highlight-detection

Forge =====

Forge is our development and project tool. It is intended to be used by anyone in the Cyberia community to host their projects, and Cyberia will eventually use it exclusively to host our group projects.

Forge is approaching the end of the alpha phase. There is still a bit of rockiness, but we've mostly settled on it as a full-fledged service, supported by Cyberia Services.

Forge handles the following (for now):

• git repositories
• mailing lists
• ticket trackers
• git-driven wiki pages
• paste service

Forge may handle the following in the future, if we have need for it:

• builds
• continuous integration
• mercurial repositories

Registration is now open to the public, sign up today! https://forge.cyberia.club

Mailing Lists =============

There are now three important mailing lists that people might consider subscribing to:

announce@cyberia.club = general announcements like this ops@cyberia.club = services branch discussion operational stuff = etc@cyberia.club – everything else

See them and read about them on the Forge: https://lists.cyberia.club/

If you have questions or comments about this announcement letter, feel free to email ops@cyberia.club and ask us about it :)

Misc ====

• Prometheus awareness We monitor our systems with Prometheus – like everything else Cyberia does, we operate it publically. Check it out at https://prometheus.cyberia.club

• Grafana awareness We recently set up Grafana, and fack has been hacking on some dashboards. It's available at https://grafana.cyberia.club for public consumption. If you'd like a read-write account, email me and I'll set one up for you.

• misc@c3f.net deprecated The misc@c3f.net list has been moved to the etc@cyberia.club list. I moved all previous misc@c3f.net subscribers to the new list, no action is required.

• Infra Hackathon There are thoughts about hosting a huge infra hackathon to move our systems from Debian to Alpine, with a giant laundry list of crap to do. We will be targeting a full weekend in the future. Just a heads up.

• Operations Handbook We have decided that a monorepo for all of our operational-related things is appropriate. See the handbook here: https://git.cyberia.club/services/ops-handbook/about

A final note: our services would be useless without the community that makes use of them. Thanks for all of your valuable feedback and discussion. You're all wonderful. Let's open the next world together.

Your lovely head of services,

j3s

---

Imported from https://cyberia.club/blog Originally published: 2020-03-11

---

Subject: Simple trusted compute: Announcing Capsul From: j3s Date: 11/03/2020

+———————————————————————————+ | | | ANNOUNCING CAPSUL | | | +———————————————————————————+

https://capsul.org

Over the last year we've moved at light speed. Cyberia Computer Club is now an entity. A formal nonprofit organization with a democratic structure.

We organized and bought a server. We crowdfunded, and spent countless nights testing different configurations. We strived to make the service very simple, and very maintainable. We're very proud of what we're announcing today. We think it's a very unique service.

Capsul is a service that provides people with compute in the form of virtual machines. All machines run on very fast solid state storage, and have direct T3 network access on a shared link. We do not collect user data (besides your email address), and discard as many logs as we feasibly can. Every VM is automatically backed up A more official privacy policy and TOS are coming soon.

To get you excited, here's a list of initially supported operating systems:

operating system supported ———————— ————- alpine yes ubuntu18 yes debian10 yes centos7 yes centos8 yes OpenBSD 6.6 planned GuixSD 1.0.1 planned Windows no, never AIX whyyyy

Our prices start at ~$5.99 a month:

type yearly cost cpus memory ssd ——— —————– —— ——— —— f1-s $70 1 512M 10G f1-m $120 1 1024M 25G f1-l $240 1 2048M 55G f1-x $480 2 4096M 80G f1-xx $960 4 8096M 160G f1-xxx $1920 8 16G 320G

Capsul is very easy to use – no signup or registration is necessary. Simply send an email to capsul@c3f.net with your requirements, and you'll have VMs that you can ssh into within a day or so.

Capsul machines are currently paid for on a yearly basis, and we'll make every effort to remind you of payment before your year expires. Capsul is very price-similar to services like Vultr or Digital Ocean.

What sets Capsul apart?

Simply: our organization and our morality.

Cyberia Computer Club values privacy, simplicity, transparency, accessibility, and inclusion. We have no shareholders, investors, or loaners, therefore every change we make is directly beneficial to you. We actually care about your experience, and it will only get better with time – never worse.

We have a lot more coming for Capsul. The next planned features include: – private networking – openbsd support – monthly payments – instant provisioning and decoms – ipv6 support (with a reduced price instance type) – a storage service (for those who want pictures)

That's all for now! Send us an email and get started with Capsul today! :)

love,

j3s

additional resources;

Check out the Capsul website: https://capsul.org Check out our bylaws here: https://cyberia.club/bylaws Donate to the cause: https://cyberia.club/donate All of our source code: https://git.cyberia.club Chat with us on Matrix: #cyberia:cyberia.club Chat with us on IRC: #cyberia on freenode