Weeknote: 2024-W22-24

17 June 2024

This time I’m going to wrap up 3 weeks into one note, because a lot of life stuff happened, not really leaving much time for Manyfold.

Week 22

It was half term in the UK, so with the kids off school, we went away for a long weekend. We stopped off at Winchester Science Centre on the way home; I highly recommend it if you have kids and are ever in the area.

Then I had a couple of days back at work, mainly trying and failing to get my head back into the Shrine work from week 21, while also fixing a couple of bugs and merging some contributions that had been sent in. The security audit was in full swing in the background too.

But, I only had a couple of days though before it was time for the big event of my year, Electromagnetic Field. It’s a tech/hacker/maker festival that happens every two years, and every time, its the best thing I’ve ever been to.

On the Friday, while I was there, I put in an application for another round of NLNet funding, under their NGI Zero Commons call; hopefully it will succeed, I think I’ve achieved a lot with their help so far! We’ll know more in a few weeks…

Week 23

So, I got back from EMF on the Monday, and I gave myself Tuesday off because (a) it was my birthday and (b) I was about as tired as it’s possible to be. So much sleep needed.

Wednesday I should have been back on it, but suddenly… COVID. I’d obviously picked it up at EMF somewhere, and that then wiped me out until the weekend.

Week 24

OK, back to actual work, and in amongst all that the security audit had been finished. I was very pleased with the results, and the process run by Radically Open Security was fantastic. All in all, there was one item in the High category, two Elevated, five Moderate and three Low. Most of those, I expected. There were a few I hadn’t known about before, but in general I was happy with the outcome.

I spent the week trying to work through them with post-COVID brain, mostly the big ones around file upload and login. It’s taking a bit longer than I hoped to get through them, but we’re getting there.

The nice thing is that fixing these is hitting a lot of other things I wanted to fix or change. For instance, the High severity issue was that the Docker container was running the application as root, which is obviously a danger with an app that manipulates the local filesystem. That can now be fixed using PUID and PGID environment variables to set a user, in the same way as the Linuxserver images do, which I’ve wanted to do for ages and brings me more into line with the way a lot of self-hosted apps operate.

Those fixes will be coming in a release early this week, hopefully, once I’ve got the big stuff ticked off and tested.

Next…

I’m going to stay on security issues until I’ve got all the High and Elevated sorted out, then it’ll be time to go back to Shrine and finish off the file management rewrite.

With that done, there’s a few more things, but I’m thinking it’s getting close to time to put a 1.0 stamp on this thing; with all the core features in place, and security and accessibility audited, it would be a good line to draw.