There was a recent related discussion on Hacker News and the top comment discusses why this sort of solution is not likely to be the best fit for smaller organizations. In short, doing it well requires time and effort from someone technically sophisticated, who must do more than the bare minimum for good results, as you just learned.

Even then, it’s likely to be less reliable than solutions hosted by big corporations and when there’s a problem, it’s your problem. I don’t want to discourage you, but understand what you’re committing to and make sure you have adequate buy-in in your organization.

Telegram isn’t open source, so I don’t think you’re going to find forks of it.

I stand corrected. Telegram’s client is open source (GPL) and what OP is asking for is reasonable.

That’s a valid point, though it looks like Popfile’s installation instructions call for manually installing libraries, presumably current ones. I think it processes only text, not PDFs or images, which are traditional sources of vulnerabilities. I’m fairly certain it doesn’t attempt to execute Javascript. It is, itself written in Perl, which is memory-safe.

It’s worth considering security because there’s so much malware out there trying to spread indiscriminately, but Popfile is less vulnerable than an Android app (which bundles its dependencies) or anything written in C (which is subject to all kinds of memory management bugs).

Abandoned doesn’t necessarily imply no longer useful. Sometimes, though rarely in the modern world software is finished.

I may give it a try. It does actually have the features I’m asking for.

I’ve been using one of the Javascript variants of this for a while. While that is a little heavier weight for the client than this completely static solution, it’s ultimately just a few kilobytes and minimal processing that’s fast even on old devices.

The EFF has a good document on this topic.

It uses the Mastodon API in a client-side script adapted from this one.

I’ve been self-hosting Mastodon for a while and mostly using it to share bird photography, but also to provide comments on a static site. Since Mastodon and Lemmy both speak ActivityPub, those get crossposted to /c/flashlight so Lemmy comments are also included on my site. Federation is cool.

I don’t follow many accounts that post Fediverse meta stuff on Mastodon. While I have some interest in the best examples of that content, the only way to attract a broader community is to promote accounts and content appealing to the interests of that broader audience.

VPNs have multiple effects. Which ones are you asking about?

The common ones that come to mind are:

• Preventing remote servers from seeing your real IP address
• Bypassing attempts to block access to popular Lemmy servers, either by network operators or the server itself

It won’t do the former because media gets loaded directly from federated servers. It might do the latter.

Assuming USA - platform immunity (CDA 230) protects you from most liability for content originating elsewhere. There are specific requirements to maintain your immunity if you receive a DMCA takedown notice, or have actual knowledge that child pornography has been uploaded to your service.

Solved-ish.

I got webpack to run reliably by replacing its use of md4 with sha256 in these files:

$ grep -r md4 node_modules/webpack
node_modules/webpack/lib/ModuleFilenameHelpers.js:      const hash = createHash("md4");
node_modules/webpack/lib/optimize/ConcatenatedModule.js:                const hash = createHash("md4");
node_modules/webpack/lib/optimize/SplitChunksPlugin.js:         .createHash("md4")
node_modules/webpack/lib/NamedModulesPlugin.js: const hash = createHash("md4");
node_modules/webpack/lib/SourceMapDevToolPlugin.js:                                                             contentHash: createHash("md4")
node_modules/webpack/lib/WebpackOptionsDefaulter.js:            this.set("output.hashFunction", "md4");
node_modules/webpack/lib/HashedModuleIdsPlugin.js:                              hashFunction: "md4",

then in `config/initializers/content_security_policy.rb’, I replaced the line

.script_src :self, assets_host, "'wasm-unsafe-eval'"

with

p.script_src :self, assets_host, "'wasm-unsafe-eval' 'unsafe-eval'"

This seems like way more tinkering with the code and defaults than I should need to keep the server running so I’ll probably dig more later. I hope this post ends up being useful to anyone else having an issue.