There were comments about security risks though, based on being a small project with a LOT of integrations.

time will show, but the only thing i actively regret adding was the support for discord embeds (the “og” option); opengraph is an awfully designed concept and, unrelatedly, it has been a source of a handful of bugs in how it was implemented in copyparty (that one’s on me). Keeping that disabled avoids a lot of edgecases, most of which are decreed by the opengraph spec.

That said, there’s no features keeping me up at night; i think for the most part things are fine – just don’t enable the smb server 😁

so uhh, sorry for the late response to this – was going to reply much earlier, but then suddenly it became more timely than ever…

the good news is, I’m fairly confident in how it handles the filesystem and permissions, preventing unauthorized access to files.

but the part I’m a bit less sure about is sanitizing user data; the kind of vulnerabilities where someone uploads a malicious file and bad stuff happens if you then open that file in a certain way, or someone sends you a malicious link and trick you into clicking it – in other words, the kind of vulnerabilities which require the attacker to have a certain level of access already, or that requires tricking you into doing something.

…and with version 1.18.5 released just now, we got a prime example of exactly one of those. Really unfortunate timing, but it’s a blessing to have so many new and curious eyes on it to spot these sooner rather than later. It is what it is.

the intention with that statement was that seafile, by default, places all the files inside its own proprietary file container thing, where the files are not easily accessible from the server’s actual filesystem, using regular linux utilities. My knowledge of seafile is really minimal, so this could be wrong – in which case I’ll fix that right away! or, at the very least, try to clarify what I meant to avoid this confusion.

in case you happen to know – are you aware if it’s possible to use Seafile while having it just place all the files and folders on the disk like any other program would?

awesome thanks, should be able to reproduce it then :>

man… that’s really unexpected, I went with h264+mp3 which should be the most conservative / broadly-supported combination you could possibly use, yet still (ﾉ ﾟヮﾟ)ﾉ ~┻━┻

what webbrowser / device / player are you using?

that should be totally fine, I think a lot of people are doing that :>

No worries, good question :>

The problem with bidirectional filesync is that it’s an absolutely massive can of worms, very easy to mess up, and the consequences of messing up are usually the worst kind (loss of data). There’s an insane amount of edgecases to keep in mind, and you need to get every edgecase right every single time, otherwise you might wipe someone’s vacation photos, or suddenly downgrade someone’s keepass database to an older version… And stuff like syncing multiple devices to the same server makes it balloon further.

I’ve started becoming more confident in copyparty’s filesystem-index database, but it’s still just a hint/guideline, with the filesystem being the only source of truth – it’s still not something I’d trust with tracking sync-state against one or more clients.

The bigger guys who offer bidirectional sync (nextcloud, syncthing, etc.) have spent years perfecting their logic, so I’d like to leave this in their capable hands.

copyparty-sfx.py is a custom packer (see this reply) created by make-sfx.sh, and copyparty.pyz is a standard zipapp, created by make-pyz.sh. The zipapp has more disadvantages than the sfx.py, so that’s the default/recommended build.

sure! my implementation is really basic, just the stuff that’s needed to make the clients i’ve tested happy, so there’s probably still clients that won’t be able to connect (And i’ll fix those as soon as I hear about them!)

httpcli.py is the http methods handler, and the webdav-specific handlers are all next to eachother, propfind // proppatch // lock // unlock // mkcol // and there’s also put for the uploads, but that’s not entirely webdav-specific, just webdav-aware.

sooo this is one of the things that started with someone saying “wouldn’t it be funny if…”

if you open copyparty-sfx.py in a text editor, you’ll see how – but please make sure to use an editor which is able to handle about 600 KiB of comments which contain invalid utf8 / binary garbage 😁

I ended up rolling my own packer since I wanted optimal encoding efficiency, and everything I could find would do stuff like base85 or ucs2 tricks, but it turns out python is perfectly happy with binary garbage in comments if you declare that the file is latin-1 so it realizes all hope is lost :D

the only drawback of the sfx.py is that it needs to extract to $TEMP before running, so that’s the slight advantage of the zipapp (the .pyz alternative), but that suffers from some performance reduction in return, and is more hermetic (doesn’t let you swap out the bundled dependencies with fresh versions as easily if necessary)

I have a hunch that the true answer, to be honest, is “no” – at least with the current UI as it is. I’ve come to terms with not being the best at making intuitive user interfaces, so I went all-in on making it poweruser-friendly and efficiency instead.

Yeah, there’s the android app for sending files to the server, and it’ll always send files to the same folder, so that part should be pretty solid. But actually grabbing files from the server, perhaps not so much. Not sure I’d risk it, but I’ll leave the decision to you hehe

I’m not aware of any user-friendly android/iOS apps for connecting to a webdav / ftps / sftp server, but if those exist, then that would probably have been a good option!

Yep – https://github.com/9001/copyparty/tree/hovudstraum/scripts/docker

Hopefully that description makes sense (let me know if it doesn’t)

Yep! Depending on what your home connection looks like, you have a few options:

if you are lucky enough to have your own private IP-address and are able to open ports, then you’re almost done already – you can put copyparty on some port (or keep the default 3923), and then anyone could connect to it by going to https://your.ip.address:3923/

(with this approach, you will want to create your own HTTPS certificate so the traffic is properly encrypted – the best option here is to get a domain and get a certificate for the domain)

however, if you are behind CGNAT, meaning your internet provider has given you a shared IP-address, then people cannot connect directly to your home-PC. One way around that issue is by setting up a machine somewhere on the internet which bridges the gap back home to your PC. Cloudflare offers this as service, and this is explained in the copyparty readme – see the “at home” section for one way to do that.

if you are against using Cloudflare for idealistic reasons (they are becoming quite powerful since they run a whole lot of the internet), then you can set up a cheap VPS which serves the same purpose. That’s my setup, and how you are accessing the copyparty demo server right now – I have the cheapest VPS you can get from Hetzner. The VPS is running nginx, and it forwards the traffic to my homeserver through an SSH tunnel. I haven’t documented this approach in the copyparty readme, but I have a feeling a lot of other people have :>

Thanks for the correction; confirmed that Nextcloud now does chunked uploading (with the web-client too). Fixed :>

Good luck, and let me know if you hit any issues o/

thanks for the vote, I hear ya :>

it’s such an impressive project! Amazing what they’ve accomplished in so little time, and so important too – we need as many options as we can get.

BTRFS and ZFS support real deduplication via copy on write, and would eliminate all current disadvantages of symlink and hardlink deduplication. It just works.

yeah that’s a good point, I’ll add an option to take advantage of this if you know you’re running on a filesystem where that works as intended.

Why have it be one huge python source file?

oh don’t worry, it’s all separate files during development – there’s a build-stage which bundles everything up into a single file for distribution. But thanks for the concern :D

Thanks a lot for the kind words! ready to answer questions if you hit any bumps :>

I was thinking of that!! But then I realized that even Firefox removed gopher support by now, so the joke was dead on arrival :P

As long as it’s not causing any issues or drawbacks for modern python versions (and it isn’t), I don’t see any reason to do that – on the contrary, I know people are running copyparty on retro equipment, so I’d very much prefer to keep it for as long as possible :>