#Seppo! - NLnet - (August 2022)

Funding
#1

This is the Q&A part of the application. Not sure where the application itself can be found.

https://blog.mro.name/2022/09/nlnet-grant-application/

#2

Dear ,

thank you for asking, your questions are obvious but there was no room in the application. So I am happy to answer!

On 26 Sep 2022, at 12:54, wrote:

you applied to the 2022-08 open call from NLnet. We have some questions regarding your project proposal #Seppo!.

You requested 50000 euro. Can you provide some more detail on how you arrived at this amount? Could you provide a breakdown of the main tasks, and the associated effort?

There is a rough project plan summing up to 6 months full time effort, the figure mentioned. Milestones being

Personas and user stories for the central use cases including lifecycle and housekeeping,
Security audit, especially of the file system storage concept as part of mentoring,
non-functional UX design prototype,
Project plan/calendar.

In parallel approx. every 3 weeks

UX tests with users from the target groups (a la Steve Krug).

Each approx. 3 weeks for

Posts via CLI without web server (storage, engine),
Posts via web interface,
Reply, Boost via ActivityPub,
(Un)Follow, I/O, via ActivityPub,
Images,
POSSE to Twitter, Instagram, Facebook, possibly via 3rd party relay,
Optional further APIs: micro.blog, AtomPub, WebSub, pinboard.in

You did not mention any relevant (open source) projects you’ve worked on. Can you still provide this information?

Prior software projects were

GMX Customer Lifecycle and Ordering
iOS Sharing Extension https://codeberg.org/mro/ShaarliOS
Geohash service (OCaml) https://demo.mro.name/geohash.cgi

The first was as an employee (and is closed source) and the last 2 being open source.

See more in my cv . I am long-time member of GI.de and ACM.org and have delivered several related lightning talks at the CCC.de congress.

What is your prior experience with ActivityPub?

My experience with ActivityPub is being an active community member at SocialHub - ActivityPub Special Interest Group for the time I did a proof of concept for liking (see at mro/activitypub: Some running real world usecases. - activitypub - Codeberg.org) and exploring ActivityPub. The result was successful likes and unlikes to mastodon, peertube, pixelfed, pleroma, lemmy and friendica (but not to gnu.social where I wait for it’s maintainer to respond).

Is #Seppo! a plan, or is there already running code/designs/etc? What is the architecture, and in which language will it be crafted? What specs would you be implementing and what level of compliance with the W3C ActivityPub standard can users expect?

#Seppo! is already slowly emerging (see the develop branch at mro/seppo: self-reliantly posting on the #Fediverse. 🐫 | ♊️ Mirror of https://code.mro.name/mro/seppo - seppo - Codeberg.org) but will take long and lack polish being a side project for personal use. The architecture is a monolithic CGI built with OCaml.org. #Seppo!s main feature is self-operability for non-tech citizens, so it must be very lean on runtime dependencies and maintenance, but rock solid.

#Seppo! targets to implement ActivityPub federation at least with above mentioned implementations for Like, Respond, Boost, Follow, Unfollow and blocking. ActivityPub being the standard it is, requires repeated testing on each update of each single other server product. As a safety fallback there will remain a RFC 5005 Atom feed to subscribe to.

Is this all brand new code, or would you be reusing existing components or efforts? What would be the on-disk format in which content is to be stored, both local and remote content? What does the security model look like?

Aside from basic OCaml opam packages, e.g. for unicode or json handling or encryption, the code related to ActivityPub is mostly to be built, a some important bits are already done. Goal is as low a complexity as possible. That’s one pillar of the project.

Storage is in clear-text files on the server, the content in form of RFC 5005 paged atom feeds. All data is held in the form required by the consumers and updated on modification. No server code for reading.

How does it keep remote content in sync?

What remote content to keep in sync do you think of?

Would administration be through a user interface, or through config files? As a site becomes more successful and/or exposed to the outside world, other issues than easy deployment start to emerge: moderation, scalability, security etc. Can you clarify what your approach is for each?

The scaling to n=1 has surprising effects but one paramount precondition: The user must rent, own or control webspace and copy the CGI program there. The user legally owns that domain and acts on it’s own behalf. This must be explained encouragingly and carefully and is another pillar of the project. Config is done via web, no need to touch the clear-text config, still everything is inspectable.

Administration is mostly obtaining the CGI program and copying it to said webspace plus an initial start (choosing time-zone and name). There is exactly one user per server, so there are no malicious (write-allowed) users and there is no moderation.

Scaling to 10k followers shouldn’t be a problem as the server has to deliver static content only – which is written on edit by the said single, write-allowed user.

Incoming federation housekeeping is batched and throttled to keep #Seppo! responsive.

Thorough security analysis has to be done as part of the project repeatedly. The main idea is to keep complexity low and rather sacrifice features but safety.

What problem are you trying to solve, and for which target group?

#Seppo! enables non-tech persons to post and like self-reliantly and still have a life.

For everyday citizens currently there is no offer to self-reliantly and responsibly - without help or say of others - publish anything the the internet. You always need services and helpers and have to accept T&Cs because there are components that you can’t deploy yourself and those operators do at their own conditions.

And they tend to go out of business, get bought or otherwise change conditions over time.

#Seppo! can be deployed on dumb shared hosting webspace. No database and other server components required. It’s simple to mirror, backup and restore. Shared webspace is offered by thousands of vendors at affordable price, it’s a common infrastructure. And it’s all you need.

The target group are individuals and small groups such as

internet participants with up to 10k followers,
associations and NGOs without staff,
schools and youth projects,
Mastodon and Twitter users who want to write on their own behalf,
journalists who value decades of continuity,
Freethinkers who hesitate to accept terms and conditions,
Web hosters who want to offer this service.

There are many different types of AP powered applicatoins (e.g. videostreaming, audio collections, podcasting, photosharing, etc) Is there a specific specialisation/niche #Seppo! would have within that sphere?

Yes: your long-term, personal, reliable internet home for short texts and single pictures.

No Myspace/Google+/del.icio.us shutdowns or acquisitions, Facebook/Twitter blocks, no arbitrary rules, just civil law. No Wordpress, mysql, npm, ruby or php vulnerabilities or operational risks, no operating system updates.

Can you describe a more elaborate scenario how people would use the application?

Let me quote Patrick Breyer, MEP Pirate party: “ist eigentlich ganz charmant, auf den eigenen Server zu posten, ohne eine ganze Instanz betreiben zu müssen - solange das Cross-Posting ins Fediverse und die kommerziellen Plattformen funktioniert. Dann ja.” Patrick Breyer: "@mro@pleroma.tilde.zone Ist eigentlich ganz charm…" - chaos.social

(en: “it’s actually quite charming to post to your own server without having to run a whole instance - as long as cross-posting to the Fediverse and commercial platforms works. Then yes.”)

There is a whole movement POSSE - IndieWeb that longs for a simple solution to use individually as a non-tech person.

What is the main differentiator with projects like: https://nlnet.nl/project/Wordpress-ActivityPub, https://github.com/tsileo/microblog.pub and https://github.com/superseriousbusiness/gotosocial ? If people can easily install and maintain such applications as a plugin to Wordpress or with e.g. Yunohost, wouldn’t the threshold be low enough?

Wordpress brings huge security update pressure and so does maintaining a whole server (yunohost). Non-tech persons won’t do that on their own.

Go again is sponsored by Google and may change directions at any time as Google has done several times before. I have been watching Go for a decade, a predecessor of #Seppo! was GitHub - mro/ShaarliGo: ♊️ Mirror of http://mro.name/ShaarliGo | 🌺 self-reliantly posting on the #Fediverse with painless hosting and security in mind., now I show that useful things can be created without GAFAM dependencies and thus decades of reliability.

#Seppo! uses no database, no scripting engine, no containers, no runtime dependencies, is compiled and statically linked, not scripted and is operated by it’s single user. A tiny trusted computing base, based on mature technology but still part of the Fediverse.

#Seppo! relies on a not-for-profit funded, european toolchain (OCaml is lead by the french INRIA, has 25 years of maturity, is a statically and strongly typed, garbage collected and functional programming language). The community is small, stable, competent and friendly.

#Seppo! is as convenient as a SaaS but you keep your sovereignty and still have a life.

I hope I have been able to answer your questions to your satisfaction.

Kind regards, Marcus Rohrmoser

#3

https://blog.mro.name/2022/12/nlnet-seppo/

I am happy to announce that #Seppo received Grant 2022-08-141 from NLnet and the :eu: NGI Zero Entrust Fund to become reality in 2023.

All development will happen at seppo.social/sourcecode, I’ll report progress on seppo.social/blog and provide a test and demo to be investigated and stressed by anyone as soon as possible.

All in all it’s planned like this:

Memorandum of Understanding

Number: 2022-08-141

#Seppo!” Project

The parties:

Stichting NLnet, domiciled in Science Park 400, 1098 XH Amsterdam, The Netherlands, referred to as “NLnet” in this document, represented by Bob Goudriaan,

and

Marcus Rohrmoser, an individual domiciled at in Germany

given that:

  • NLnet has the mission “to promote the exchange of electronic information and all that is related or beneficial to that purpose”.
  • NLnet manages the NGI0 Entrust fund, a fund dedicated to open technologies that improve privacy and trustworthiness**. The fund was established with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.
  • NLnet collaborates with a number of other organisations and experts within NGI0 Entrust to help improve the quality, sustainability and adoption of projects in a structured way.
  • In 1989, Sir Tim Berners-Lee invented the web as a ‘vague but exciting’ idea where individuals connect. Today it is dominated by some billionaire-run platforms that set arbitrary rules and lock the public in.
  • The “fediverse” recently became a viable open alternative, where many social media mini- platforms interconnect to form a world-wide social web.
  • The #Seppo! project adds a new tool to the fediverse that experiments with a simple approach to self-hosting, aiming for small-scale instances with easily customisable interfaces.
  • Marcus Rohrmoser is an experienced software developer and avid sustainability advocate that developed the publishing concept of #Seppo!; having individual agency and permacomputing at the heart.
  • Marcus Rohrmoser has expressed the intention to dedicate significant private time to contribute to self-reliant and responsible civic publication by developing the self-contained #Seppo!, creating encouraging instructions on how to obtain the prerequisites and making both available to the general public.
  • NLnet thinks that this project falls within its mission and the mission of the NGI0 Entrust fund, and wants to facilitate such a contribution.

agree to the following:

  • Marcus Rohrmoser has written the proposal “#Seppo!” which is attached to this document as Annexe I. Annexe I forms an integral part of this Memorandum of Understanding. If and where statements in this annexe or other annexes are in contradiction with one or more statements in the main memorandum text, the statement or statements in the main memorandum text will prevail.
  • Marcus Rohrmoser is voluntarily undertaking the project, and is solely responsible for all aspects of the project including planning and coordination as well as involving contributors and partners - as long as such happens in line with the terms and spirit of this MoU, and with their explict and voluntarily consent to join this Memorandum of Understanding with all its stated obligations and provisions, and to act in good faith.
  • The source code and technical designs of the Project (as well as any documentation and supporting materials officially produced within the project) are to be made openly available to the general public under a suitable free/libre/open source software or hardware license. Eligible licenses include the licenses recognised by OSI and FSF.
  • As the signatory of this MoU, Marcus Rohrmoser shall act as official point of contact in the context of this project; it is the responsibility of Marcus Rohrmoser to notify NLnet in case of any changes or issues.
  • NLnet commits to make a reservation for the amount of 50000 EUR to Marcus Rohrmoser in order to support the “#Seppo!” project. The reservation is bound to the proposal as contained within Annexe I of this MoU.
  • Should the project fail to complete the goals described in Annexe I, partially or in full, there is no other consequence than the termination of this MoU.
  • Marcus Rohrmoser commits to keep the user and developer community up to date with progress made within the project at least every two months (more often is never a bad thing) and will maintain a public status page for the project to keep the wider internet community informed. As a courtesy, Marcus Rohrmoser may send non-public updates about the status of the project to NLnet, but there is no obligation whatsoever to do so - NLnet is not operationally involved with the project; its only interest is the public benefit that is the result of the project succeeding in reaching its goals. Marcus Rohrmoser commits to help NLnet to clear any uncertainties about the overall effort and project achievements should the need for that emerge (e.g. in the context of an official audit).
  • The validity of the Memorandum of Understanding is one calendar year (twelve months) from the date of signing. If the project is not finished at this point of expiry, and the work is still relevant, it may be prolonged based on mutual agreement between NLnet and Marcus Rohrmoser. Any amendment to the MoU only changes the validity period if it explictly establishes a new time frame, otherwise the original validity period stays intact.
  • Donations may be claimed up to the reserved amount within a maximum of six weeks after the end of the validity of the (amended) Memorandum of Understanding. Donations will be final when the specified milestones or previously agreed partial deliveries have been verified to have been completed. Payments will subsequently be made by wire transfer into a bank account designated by Marcus Rohrmoser. Payment requests submitted at a later date are not guaranteed to be paid.
  • NLnet and Marcus Rohrmoser may issue one or more individual or joint public statements announcing the project and the financial support from NLnet and the NGI0 Entrust fund. Marcus Rohrmoser is also encouraged to visibly and vocally acknowledge this contribution and the contribution of EC to the NGI0 Entrust fund (NGI Zero Entrust was established with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology.) where possible — e.g. through the public world wide web, promotional materials, in presentations, in the credits section of software and in source code.
  • The involvement with any particular person(s) or organisations will be on the understanding that these coordinate their activities in agreement with Marcus Rohrmoser, in the spirit of cooperation, and in an effort to achieve the results of the “#Seppo!” project. Marcus Rohrmoser appreciates the support from the experts and organisations involved with NGI0 Entrust to ensure that the results of #Seppo! will be of the widest possible benefit to all.
  • This Memorandum of Understanding cannot be seen as any kind of employment agreement or business contract. NLnet nor any of the organisations involved with NGI0 Entrust receive any goods or services as a result of this MoU. Any payments are to be made as charitable donations to Marcus Rohrmoser in the light of a voluntary contribution to the public benefit such as defined within the statutory mission of NLnet foundation. Marcus Rohrmoser is responsible for paying any and all taxes or other fees with regard to this grant, should there be any, and to inform any relevant authorities within their country of these donations should this be legally required.

On behalf of NLnet: Bob Goudriaan

Amsterdam - December 1, 2022

Marcus Rohrmoser

- December 1, 2022

Annexe I: Project plan #Seppo!

“Posting and liking self reliantly and still have a life.” #Seppo! empowers you to publish short texts and images to the internet as easily as using a SaaS but retain full agency and responsibility.

What you publish is solely subject to public law. No 3rd parties hold a stake, nobody else imposes any rules on you. This is because you publish on your own property. Which is possible because housekeeping is no more than the known follow/unfollow/block/unblock content moderation of your own single account. You do that by yourself. There are no scripting engines or databases, no technical updates required. You can focus solely on the message to deliver. You build an online presence on your own digital property, robust for decades if you decide so. #Seppo! is built on mature web standards, a european technology stack, inspectable plain-text storage, is security aware and decentralised. It is made for but not limited to off-the-shelf static webspace as offered by numerous vendors all over the EU. #Seppo! targets individuals and small organisations joining the #Fediverse with max. 10k followers, optionally cross-posting to the closed platforms.

#Seppo! is free software. The resulting code of each development task will be published on the project website. After every milestone there will be a full end-user documentation, and a test instance for demonstration and federation testing.

1. New instance via commandline interface (CLI)

Start a new instance on empty webspace by calling a commandline generator on the server. Verify the server settings, create and populate the required technical files to comply with the ActivityPub and Webfinger standards for a valid, externally visible @actor@example.com without posts or followers for now.

Milestone(s)

  • Create the seppo commandline program

Amount

€ 2400

2. New post via CLI

Post new text message via the CLI on the server. Ensure posted messages are visible and makes it to the ‘following’ instances and test with existing, real world instances of:

  • Mastodon
  • Pleroma
  • Peertube
  • Pixelfed
  • GnuSocial
  • Friendica
  • Lemmy
  • Mobilizon if available
  • Hubzilla if available
  • Bonfire if available

Milestone(s)

  • Update the seppo commandline program to post messages

Amount

€ 3400

3. New instance via web interface

Start a new instance on empty webspace by copying the seppo.cgi binary there and visit https://example.com/subdir/seppo.cgi. Verify the server settings, create and populate the required technical files to comply with the ActivityPub and Webfinger standards for a valid, externally visible @actor@example.com without posts or followers for now.

Milestone(s)

  • Create the seppo.cgi program

Amount

€ 2400

4. New post via web interface

Post a new text message via the web interface. Ensure the message is visible and makes it to the instances mentioned in task 2. New post via CLI.

Milestone(s)

  • Update seppo.cgi program to post messages

Amount

€ 3880

5. Security audit & improvements

With mentoring by Radically Open Security with focus on threat model.

Milestone(s)

  • Integrate the findings

Amount

€ 2400

6. ActivityPub Activities Like/Unlike, Reply, Announce

Support the following ActivityPub Activities: - Like/Unlike - Reply - Announce

Milestone(s)

  • Implement the activities on the web interface
  • Test against the instances mentioned in task 2. New post via CLI.

Amount

€ 3840

7. ActivityPub Activities (Un)Follow, Block

Implement the following ActivityPub Activities:

  • Follow/Unfollow
  • Block

Milestone(s)

  • Implement the activities on the web interface
  • Test against the instances mentioned in task 2. New post via CLI.

Amount

€ 5760

8. Housekeeping via web interface

Design & build housekeeping features.

Milestone(s)

  • password change
  • password reset (may imply deletion of a file on the webspace)
  • instance name, owner bio, account images
  • timezone
  • monitoring, server health
  • usage, federation queue stats

Amount

€ 5760

9. Accessibility audit

With mentoring by HAN University of Applied sciences and/or the Accessibility Foundation, with focus on everyday use as well as onboarding & housekeeping UX.

Milestone(s)

  • Integrate the findings

Amount

€ 2880

10. Images

Implement features & tests for posting images.

Milestone(s)

  • Post single jpeg and png images, care about alt text, strip metadata, scale to reasonable dimensions
  • Test against the instances mentioned in task 2. New post via CLI.

Amount

€ 3840

11. Improve UX

Milestone(s)

  • Improve UX based on user testing sessions

Amount

€ 5760

12. Improve reading UX via web interface

Fine tune the reading UX in terms of e.g. various screen form factors, input devices, lighting conditions and color schemes, threaded or chronological presentation, read/unread, daily / most recent, stats (accounts and tags with post counts), lists etc.

Milestone(s)

  • Make and UX test functional prototypes

Amount

€ 4800

13. Documentation and presentation

Milestone(s)

  • Publish online documentation on Seppo for users and developers. Write at least three comprehensive blog posts documenting (progress of) the project. (€ 1440)
  • Update documentation, write at least three additional blog posts, and present the project at a related event. (€ 1440)

Amount

€ 2880