Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Built-in synchronization #819

Open
fabiospampinato opened this issue Sep 13, 2019 · 26 comments
Open

Built-in synchronization #819

fabiospampinato opened this issue Sep 13, 2019 · 26 comments
Milestone

Comments

@fabiospampinato
Copy link
Member

@fabiospampinato fabiospampinato commented Sep 13, 2019

Synchronization support should be built-in, in order to make it easier to use. It will enabled better mobile apps and other features.

@fabiospampinato fabiospampinato added this to the Future milestone Sep 13, 2019
@orangelynx
Copy link

@orangelynx orangelynx commented Oct 10, 2019

Adding to the discussion:

The protocol used for Sync should be

  • open / well known / standardized.
  • easy to integrate with LAN-Sync and Homesever-Sync Setup
  • a third option for people interested in sync over the internet without a personal homeserver would be nice as well. This could for example include a cloud service which offers an interface for the chosen protocol (e.g. webdav)

As protocol, WebDAV comes to mind. It sure has issues but is well known and established in the open source community. Downsides are the high complexity of the protocol (afaik). Perhaps there are better alternatives.

For Sync, not only a file transmission / storage access protocol is needed, but also a sync protocol, that compares files. Here we can perhaps learn a lot from Syncthing.

In case Sync screws up, there should be an option for automatic backups.

@oleksalab
Copy link

@oleksalab oleksalab commented Oct 17, 2019

Hi! May be you don't have to develop sync by yourself and just look at Seafile integration for selfhosted solution. Seafile does already support markdown edititing and preview, has git-like engine with version control support and it very mature and stable. May be you just can provide an integration mechanism with it. That way you can also free your resource to make Notable more mature and powerful and concentrate forces on mobile apps. And may be to add more features to desktop apps like alarm or notification by time. Please consider to look at Seafile.

P.S: You are doing nice job and the excellent product!

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Oct 17, 2019

@oleksalab I'll check it out 👍

@meinto
Copy link

@meinto meinto commented Dec 29, 2019

In my opinion you don't need a build in synchronization solution. All this is already done by Syncthing. It's open-source, encrypted and peer-to-peer which makes it secure and private.

I would recommend to mention this way of synchronization in the documentation as the recommended way to go. Personally I think that notes are such a private thing, that it's worth for every user to deal with solutions like Syncthing, even if it is an additional tool to install.

I use for example the android client, mac client and the docker version for my server to sync my notes. Works like a charm. :)

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Dec 29, 2019

In my opinion you don't need a build in synchronization solution.

Eventually this app will become usable by regular people too, and they can be asked to set-up Syncthing on their own. I'll surely take a look at how Syncthing works though.

@Kellermaan
Copy link

@Kellermaan Kellermaan commented Feb 14, 2020

The APP is really excellent, and if you are going to add the syncing function, webdav is a wonderful choise. Thanks for your effort by the way.

@NuSkooler
Copy link

@NuSkooler NuSkooler commented Apr 23, 2020

I use Notable because of it's simplicity and the ability to use my own sync (Nextcloud, personally). Synchronization is a big can of worms which for a small project will very likely distract from the core features of the app, so tread waters carefully.

If you do decide for sure to do this, at least make it optional.

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Apr 23, 2020

@NuSkooler It can be a can of worms but it's important to make the project long-term sustainable.

It will be opt-in, available behind a subscription actually.

@troilus
Copy link

@troilus troilus commented May 10, 2020

Hope WebDAV supported.

@nickbe
Copy link

@nickbe nickbe commented Sep 18, 2020

Security? How do I know you're not reading everything I note? A build in solution which just does the syncing and which cannot be disabled can't be good

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Sep 18, 2020

@nickbe the built-in solution will be opt-in and to be paid for. Security-wise I'm thinking end-to-end encryption is the way to go.

@smblee
Copy link

@smblee smblee commented Nov 29, 2020

Updates on this issue?

@nickbe
Copy link

@nickbe nickbe commented Dec 2, 2020

@fabiospampinato I think you misunderstand me here.... I'm talking about the risk of you reading everything we store on your servers.... not about transport encryption.

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Dec 2, 2020

@fabiospampinato I think you misunderstand me here.... I'm talking about the risk of you reading everything we store on your servers.... not about transport encryption.

End-to-end encryption doesn't mean TLS, data in the server would be stored in an encrypted form and I won't have the decryption key.

@nickbe
Copy link

@nickbe nickbe commented Dec 3, 2020

But basically this is also something that involves trust, isn't it

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Dec 3, 2020

@nickbe What do you mean, are you planning on making your own computer and operating system from dirt or something? Unless you plan on doing that you'll have to have some trust on the people making the apps you are using, or the people making the operating system you use, or the people making the processors everything you do runs on.

@nickbe
Copy link

@nickbe nickbe commented Dec 4, 2020

@fabio:
I've had my share of people I've trusted over the years. We had fraud and money theft and and payed dearly for that.

If you think you can trust people....look around.... and think again. Read the daily reportss about data theft, misuse of servers, services and so on. Our servers are attacked 24/7 - we block dozens of IPs every day.

In our line of business - security comes first - then curiosity. We support many projects, with work and/or money. But we always ask questions.

This might seem uncomfortable and uncommon for you - but the criminal intend or stupidity of people we encounter everyday is proove that I'm right in what I do. Asking questions is probably the best thing we humans can do. It's a way to survive and to evolve.

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Dec 4, 2020

security comes first

I hear you, that's why the cloud offering will be end-to-end encrypted, if that doesn't sound good enough to you as I said unless you build your own computers from dirt that opinion is useless.

@NuSkooler
Copy link

@NuSkooler NuSkooler commented Dec 4, 2020

You can keep the source OSS so the end-to-end can be reviewed and still have a business model if you want to sell SaaS syncing. E2E is something you'll want peer reviewed if you want trust.

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Dec 4, 2020

@NuSkooler How do you suggest to get the actual code that runs on the server to get peer reviewed? Should I give access to every person asking to review it?

@nickbe
Copy link

@nickbe nickbe commented Dec 5, 2020

What you would actually need is a complete client side JS encryption that can be reviewed by anyone. That way we could check and confirm that whatever reaches a server is already highly encrypted with the users password and cannot be decoded without his keys.

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Dec 5, 2020

@nickbe If one really wants to the current bundles can be unpacked and inspected (and really that must be done when questioning trust, it doesn't matter what the code somebody publishes is if the shipped one could be totally different), of course production code is not development code so don't expect comments and stuff. Also there's always the devtools available, which can be used to inspect network requests, of course network request can also be intercepted a lower level too, which would make sense to do since trust in the app would be the thing being questioned.

@NuSkooler
Copy link

@NuSkooler NuSkooler commented Dec 5, 2020

@fabiospampinato If you do it correctly you don't need to release the server side implementation. A review of the client side will reveal if the data can or cannot be accessed server side / by anyone but the account / key material owners.

@nickbe
Copy link

@nickbe nickbe commented Dec 5, 2020

@fabiospampinato Exactly.

@icorbrey
Copy link

@icorbrey icorbrey commented Feb 9, 2021

I might have missed it, but has automatic syncing to a git repo been considered? I would love to just point Notable at a private repo on my Github

@fabiospampinato
Copy link
Member Author

@fabiospampinato fabiospampinato commented Feb 9, 2021

I might have missed it, but has automatic syncing to a git repo been considered?

@icorbrey Considered and dismissed.

I would love to just point Notable at a private repo on my Github

You can just do it, you don't need the app to do anything in order for you to be able to do that, there are scrips like git-sync that makes this easy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
10 participants