AutobahnJS S3 bucket immediate removal

#1

Hi,

we (Crossbar.io GmbH) have not only provided massive development funding of AutobahnJS, but also free hosting of AutobahnJS _for development purposes_ (download it and host it yourself).

We asked people NOT to hot link to this bucket MULTIPLE times, as we have to pay for the traffic obviously.

Now, it seems, people don't get that.

Our traffic costs have persistently increased to a surprising level. I
just wanted to delete the log folder alone in that bucket - and I have a hard time, the log files number in the 100k's!

There seem to be a number of highly frequented sites hot linking to our
bucket.

Now, instead of injecting some nice JavaScript to completely take over
_all_ those sites (which is trivial and would take me half an hour to
do!), we have decided to remove the whole bucket.

Dozens of sites will break. Not our problem.

Cheers,
/Tobias

0 Likes

#2

Forgot:

The browser builds of AutobahnJS releases can be found here now: https://github.com/crossbario/autobahn-js-built

You will have to git clone and self host this.

The Node builds of AutobahnJS releases can be found here (unchanged): https://www.npmjs.com/package/autobahn

Cheers,
/Tobias

0 Likes

#3

Hi Tobias, as none of my sites seem to have broken, hopefully I’m not guilty of this … :wink:

Would it be worth putting a CDN account up, if you use cloudflare I think it s a fixed $20 a month for unlimited usage …

I’ve been experimenting with a free cloudflare account to see how good it is …

https://cdn.linux.uk/js/autobahn/0.11.2/

Looks pretty tidy so far …

0 Likes

#4

(as opposed to S3 … I’ve never been able to run any sort of hosting on Amazon for under $20 a month, even before bandwidth charges …)

0 Likes

#5

Another alternative, I submitted an entry to “jsdelivr” last week, it’s just gone live today.
This is a free CDN link and by all accounts the performance should be pretty good.

https://www.jsdelivr.com/projects/autobahnjs (project)

https://cdn.jsdelivr.net/autobahnjs/0.11.2/autobahn.min.js (direct download)

https://cdn.jsdelivr.net/autobahnjs/0.11.2/autobahn.min.map (direct download)

I’ve taken the source, re-minified it to meet jsdelivr specs, re-added the copyright prefix and added a .map file …

If you’re Ok with this I’m happy to maintain it, alternatively I’m happy to hand it over if you want control?

(or I can take it down if you don’t think it’s a good idea …)

0 Likes

#6

Hi Gareth,

Another alternative, I submitted an entry to "jsdelivr" last week, it's
just gone live today.
This is a free CDN link and by all accounts the performance should be
pretty good.

<goog_380015786>
https://www.jsdelivr.com/projects/autobahnjs (project)

https://cdn.jsdelivr.net/autobahnjs/0.11.2/autobahn.min.js (direct download)
https://cdn.jsdelivr.net/autobahnjs/0.11.2/autobahn.min.map (direct
download)

I've taken the source, re-minified it to meet jsdelivr specs, re-added the
copyright prefix and added a .map file ..

Why? These blobs now do not longer match the fingerprints we publish for AutobahnJS.

If you're Ok with this I'm happy to maintain it, alternatively I'm happy to
hand it over if you want control?
(or I can take it down if you don't think it's a good idea ...)

No, we are discouraging users from using any CDN. Please do not promote this ..

Cheers
/Tobias

···

Am 26.03.2017 um 23:21 schrieb Gareth Bult:

0 Likes

#7

Why?

Because the minified version currently on offer in “built” fails the jsdelivr verification robot, I’m not sure what’s wrong with it, but there’s something it doesn’t like - no other reason.

No, we are discouraging users from using any CDN. Please do not promote this …

Ok, I will attempt to remove this entry, although given many JS libraries are moving towards CDN’s, this seems a little counter-intuitive ??

Just as a matter of interest, this is what I’m doing to generate a minified version that passes the bot’s validation process;

#Makefile
TMP=autobahn.js.tmp
SRC=autobahn.js
PRE=preamble.js
DST=autobahn.min.js
MAP=autobahn.min.map

all:
@echo “Removing old files”
@rm -f $(SRC) $(TMP) $(DST) $(MAP)
@echo “Recovering latest version”
@wget -q https://raw.githubusercontent.com/crossbario/autobahn-js-built/master/autobahn.js --output-document=$(TMP)
@echo “Adding preamble …”
@cat $(PRE) $(TMP) > $(SRC)
@echo “Uglify the code”
@uglifyjs $(SRC) --preamble="cat $(PRE)" -c -m --output=$(DST) --source-map=$(MAP)
@echo “Ok, ready to roll …”

``

0 Likes

#8

Hi Gareth,

Why?

Because the minified version currently on offer in "built" fails the
jsdelivr verification robot, I'm not sure what's wrong with it, but there's
something it doesn't like - no other reason.

FWIW, the minized versions are built using Google Closure compiler.

No, we are discouraging users from using any CDN. Please do not promote

this ..

Ok, I will attempt to remove this entry, although given many JS libraries
are moving towards CDN's, this seems a little counter-intuitive ??

I admit that I have a highly security and privacy motiviated perspective here.

Unless all browsers have implemented SRI, there is a security issue:

A user that is using AutobahnJS within an app is trusting us (upstream). This is inevitable. When you don't trust us (AutobahnJS developers), don't use it;)

However, why should a user trust a CDN? A CDN can modify the library on-the-fly, and do all kinds of bad things.

Then the privacy issue: a CDN can track all users of _your_ site. This issue won't go away with SRI.

As a consequence, we're moving towards self-hosting.

Cheers,
/Tobias

···

Am 27.03.2017 um 12:13 schrieb Gareth Bult:

0 Likes

#9

FWIW, the minized versions are built using Google Closure compiler.

Ok, you appreciate I’m not criticising your minified version, when I say “wrong” there is merely relative to the jsdelivr “bot”. I’m not agreeing with the bot,

merely complying with it in order to get the file submitted. I would have been much easier if it had just accepted your version, I didn’t make work for myself

without a reason … :slight_smile:

Whereas I agree absolutely with everything you’ve said, maybe if I could suggest a specific use-case;

I’ve had my plugin approved by Wordpress, so shortly (!) I will be releasing a Plugin to the WP directory that leans heavily on Autobahn.

Many sites use “Jetpack” which includes “photon”, the Wordpress CDN, which transparently CDN’s all local JS resources.

So most performance sites will end up using a copy of Autobahn from a CDN “anyway”.

  • so the argument about not using a CDN in this instance is redundant and the choice is whether Autobahn is served up from the Wordpress

CDN (or some other CDN implemented by the website) or from an Crossbar.io regulated CDN.

Given this choice, would a Crossbar.io CDN not make sense??

(for the central site / authenticated access - I do want a local copy, and because it’s “my” site I can enforce that)

In this instance (from a security perspective) if a flaw (god forbid) is discovered in AutobahnJS, would it not make sense to be able

to immediately push a new version to a CDN and force a cache purge, rather than waiting weeks or months for potentially tens of thousands

of vulnerable websites to run updates?

Gareth.

0 Likes

#10

how about a 301 redirect to “https://clone-or-download-from–github.com/crossbario/autobahn-js-built.git” so people can immediately know where to go, or replace the AWS .js with an alert(…similar message…);

···

On Mon, Mar 27, 2017 at 7:55 AM Gareth Bult garet...@gmail.com wrote:

FWIW, the minized versions are built using Google Closure compiler.

Ok, you appreciate I’m not criticising your minified version, when I say “wrong” there is merely relative to the jsdelivr “bot”. I’m not agreeing with the bot,

merely complying with it in order to get the file submitted. I would have been much easier if it had just accepted your version, I didn’t make work for myself

without a reason … :slight_smile:

Whereas I agree absolutely with everything you’ve said, maybe if I could suggest a specific use-case;

I’ve had my plugin approved by Wordpress, so shortly (!) I will be releasing a Plugin to the WP directory that leans heavily on Autobahn.

Many sites use “Jetpack” which includes “photon”, the Wordpress CDN, which transparently CDN’s all local JS resources.

So most performance sites will end up using a copy of Autobahn from a CDN “anyway”.

  • so the argument about not using a CDN in this instance is redundant and the choice is whether Autobahn is served up from the Wordpress

CDN (or some other CDN implemented by the website) or from an Crossbar.io regulated CDN.

Given this choice, would a Crossbar.io CDN not make sense??

(for the central site / authenticated access - I do want a local copy, and because it’s “my” site I can enforce that)

In this instance (from a security perspective) if a flaw (god forbid) is discovered in AutobahnJS, would it not make sense to be able

to immediately push a new version to a CDN and force a cache purge, rather than waiting weeks or months for potentially tens of thousands

of vulnerable websites to run updates?

Gareth.

You received this message because you are subscribed to the Google Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+...@googlegroups.com.

To post to this group, send email to cross...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/5319f967-2a33-49c0-9ba9-736f63fe2e50%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#11

"Dozens of sites will break. Not our problem.

Cheers,
/Tobias "

Arrogant prat. Off the top of my head I can think of three ways to having

Not sure - I'm not a native speaker, so might be wrong about "prat", but if you think I'm an idiot, then I'd recommend not using _any_ of our stuff, as significant parts of the code has been written by me.

I do mean that seriously: I wouldn't do myself! When I don't trust a developer, then I am having a hard time justifying using it. This isn't possible always, but in general ..

Anyway.

···

Am 28.03.2017 um 16:49 schrieb Craig Peacock:

addressed this problem professionally...
Now we all know that "Crossbar.io GmbH" employs only the most arrogant of
prats...

On Thursday, 23 March 2017 00:27:00 UTC+2, Tobias Oberstein wrote:

Hi,

we (Crossbar.io GmbH) have not only provided massive development funding
of AutobahnJS, but also free hosting of AutobahnJS _for development
purposes_ (download it and host it yourself).

We asked people NOT to hot link to this bucket MULTIPLE times, as we
have to pay for the traffic obviously.

Now, it seems, people don't get that.

Our traffic costs have persistently increased to a surprising level. I
just wanted to delete the log folder alone in that bucket - and I have a
hard time, the log files number in the 100k's!

There seem to be a number of highly frequented sites hot linking to our
bucket.

Now, instead of injecting some nice JavaScript to completely take over
_all_ those sites (which is trivial and would take me half an hour to
do!), we have decided to remove the whole bucket.

Dozens of sites will break. Not our problem.

Cheers,
/Tobias

0 Likes

#12

"Dozens of sites will break. Not our problem.

Cheers,
/Tobias "

Arrogant prat. Off the top of my head I can think of three ways to having addressed this problem professionally…

Now we all know that “Crossbar.io GmbH” employs only the most arrogant of prats…

···

On Thursday, 23 March 2017 00:27:00 UTC+2, Tobias Oberstein wrote:

Hi,

we (Crossbar.io GmbH) have not only provided massive development funding
of AutobahnJS, but also free hosting of AutobahnJS for development
purposes
(download it and host it yourself).

We asked people NOT to hot link to this bucket MULTIPLE times, as we
have to pay for the traffic obviously.

Now, it seems, people don’t get that.

Our traffic costs have persistently increased to a surprising level. I

just wanted to delete the log folder alone in that bucket - and I have a
hard time, the log files number in the 100k’s!

There seem to be a number of highly frequented sites hot linking to our

bucket.

Now, instead of injecting some nice JavaScript to completely take over

all those sites (which is trivial and would take me half an hour to

do!), we have decided to remove the whole bucket.

Dozens of sites will break. Not our problem.

Cheers,

/Tobias

0 Likes

#13

Hi,

Who is Tavendo GmbH ? Has it something to do with Crossbar.io GmbH ?

The official site of AutobahnJS (main page) has a download link that is still pointing to amazon... not working anymore :frowning:

Regards.

···

Le 22/03/2017 à 23:26, Tobias Oberstein a écrit :

Hi,

we (Crossbar.io GmbH) have not only provided massive development funding of AutobahnJS, but also free hosting of AutobahnJS _for development purposes_ (download it and host it yourself).

We asked people NOT to hot link to this bucket MULTIPLE times, as we have to pay for the traffic obviously.

Now, it seems, people don't get that.

Our traffic costs have persistently increased to a surprising level. I
just wanted to delete the log folder alone in that bucket - and I have a hard time, the log files number in the 100k's!

There seem to be a number of highly frequented sites hot linking to our
bucket.

Now, instead of injecting some nice JavaScript to completely take over
_all_ those sites (which is trivial and would take me half an hour to
do!), we have decided to remove the whole bucket.

Dozens of sites will break. Not our problem.

Cheers,
/Tobias

0 Likes

#14

Hi,

Who is Tavendo GmbH ? Has it something to do with Crossbar.io GmbH ?

Tavendo GmbH was our old company, the new one is Crossbar.io GmbH.

The official site of AutobahnJS (main page) has a download link that is
still pointing to amazon... not working anymore :frowning:

Sorry, we are still working on transitioning due to the company change, and fixing links on the go.

Thanks for letting us know!

For the time being, please see

https://github.com/crossbario/autobahn-js#get-it

The description and links is correct.

I know broken links and outdated docs suck, we're working on it, but we are a small company with limited resources.

Cheers,
/Tobias

···

Am 28.03.2017 um 17:25 schrieb Remi Jolin:

Regards.

Le 22/03/2017 à 23:26, Tobias Oberstein a écrit :

Hi,

we (Crossbar.io GmbH) have not only provided massive development
funding of AutobahnJS, but also free hosting of AutobahnJS _for
development purposes_ (download it and host it yourself).

We asked people NOT to hot link to this bucket MULTIPLE times, as we
have to pay for the traffic obviously.

Now, it seems, people don't get that.

Our traffic costs have persistently increased to a surprising level. I
just wanted to delete the log folder alone in that bucket - and I have
a hard time, the log files number in the 100k's!

There seem to be a number of highly frequented sites hot linking to our
bucket.

Now, instead of injecting some nice JavaScript to completely take over
_all_ those sites (which is trivial and would take me half an hour to
do!), we have decided to remove the whole bucket.

Dozens of sites will break. Not our problem.

Cheers,
/Tobias

0 Likes