Unless I'm missing something else...
(They are not self-hosting; Eurosky is doing it.)
I've been meaning to move to my own PDS for a few months now. Still haven't. Whenever I decide to get around to it, it'll be fine.
Nothing, except make it more available.
This is why I often argue against (or at least want to point out the dangers of) the ATProto/Bluesky model.
It's an absolute boon for people who want heavy surveillance, government or otherwise.
The looseness and "unreliability" of protocols like Mastodon ironically make them safer.
There's another protocol in the works that should be useful for syncing private data:
But I do think it's always worth pushing back a bit on this idea:
> "The way Bluesky is funded is at odds with the idea of decentralisation because the platform relies on venture capital and operates under a shareholder model."
Large decentralized infrastructure like the internet, DNS, email, and the web was largely built by VC-backed companies.
The most important open source project, Linux, is funded by major tech companies through the Linux Foundation, with $311 million last year.
Corporate incentives do create conflicts, so it makes sense to be paranoid and skeptical. But the idea that companies can't contribute to open and decentralized systems is exactly the wrong lesson to learn.
We want more VC-backed startups working on open social networks and protocols. It would be great if many of them were in Europe.
Really ?
What organizations do you think created the switches, routers, servers, software, fiber optic backbones? Who created the new protocols?
It was companies like AT&T/Bell Labs, Cisco, 3Com, Sun, UUNET, Netscape, AOL, the major telecoms, and a thousand other companies we don't remember.
Something like 1% inspiration from academia and government, and 99% perspiration by people working inside companies.
(Think of it this way: "I am following <username>" is a record stored in my own database, so it doesn't matter which app I click the button on that writes that record.)
decentralization is not about the number of app instances but how easy it is to switch from one to another. on that metric bluesky is already better than fediverse.
The fact that the PDS in practice owns your identity in the vast vast majority of cases is such a dumb trade off that it’s honestly laughable. Should Bluesky decide to splinter off of the network there would be like 50000 people left.
Stop telling people that it’s decentralised in any meaningful way and be honest about it instead. That’s the issue. The dishonesty and tricking users.
1. People who have no idea what decentralized is.
2. People who would try to figure exactly how decentralized something is.
If you are the latter, you would instantly question the data model of Bluesky and of Mastodon as well. If you are the former then that just sounds like a buzzword.
This is incorrect.
1. a PDS stores data, it does not own the identity.
2. Your identity is controlled by a DID, of which most users use DID:PLC.
3. This means the PLC directory controls who owns the identity.
4. Users can upload their own keys into the directory to ensure they have control.
5. At this point, the threat vector is "PLC directory lies", which is why there are transparency logs and independent mirrors.
Me too.
> I challenge you to prove the opposite.
This uses public key cryptography, so there's multiple answers here. Let's start at the beginning:
atproto uses DIDs as its identity standard: http://w3.org/TR/did-1.0/
Here is my DID, we'll use this as an example: did:plc:3danwc67lo7obz2fmdg6jxcr
There are three parts, separated by colons: The scheme (did), the method (plc), and the DID method-specific identifier (3danwc67lo7obz2fmdg6jxcr).
To use a DID, such as did:plc:3danwc67lo7obz2fmdg6jxcr, you resolve it into a DID Document https://www.w3.org/TR/did-1.0/#dfn-did-documents
> A set of data describing the DID subject, including mechanisms, such as cryptographic public keys, that the DID subject or a DID delegate can use to authenticate itself and prove its association with the DID.
That document contains various properties that describe the identity: https://www.w3.org/TR/did-1.0/#core-properties
One of those properties is the "verification method", which tells you what to do to verify the identity. So you just do whatever is in that, and that gives you the identity. In other words, the broadest part of the spec is very pluggable, it does not describe the answer to your question in all cases.
So let's get more specific: One kind of DID, and the one that's used by virtually all of atproto users, is DID:PLC. As you can see from my DID above, I'm using the PLC method for my DID.
Its specification is what I linked you to above, https://web.plc.directory/spec/v0.1/did-plc.
You can see my specific entry here, for example: https://plc.directory/did:plc:3danwc67lo7obz2fmdg6jxcr
(Note that, before we get into any other part of it, this document points at my PDS, https://morel.us-east.host.bsky.network . So already, without going further, this is why your original comment is wrong: my identity points at my PDS, my PDS does not point at my identity.)
This specifies what goes into the "verification method" of a DID document that uses this method. In this case, if you look at mine, you'll see that it points (eventually) to https://www.w3.org/TR/cid-1.0/, which is what the Multikey stuff is about. From that spec:
> Controlled identifier documents identify a subject and provide verification methods that express public cryptographic material, such as public keys, for verifying proofs created on behalf of the subject for specific purposes, such as authentication, attestation, key agreement (for encryption), and capability invocation and delegation. Controlled identifier documents also list service endpoints related to an identifier; for example, from which to request additional information for verification.
This is already getting deep in the weeds, but the point is that the publicKeyMultibase is the encoded form of the public key that controls my identity. So that's where that lives. What about its associated private key? Well, it can be anywhere! From an identity perspective, the location of the private key doesn't matter. Only that whoever has that key produces information under that identity, when signed.
So let's talk in practice: when you sign up for Bluesky, they store the private key for you. This way, for users that don't care about any of these details, they do not have to think about it at all. It's saved with the rest of your account data, you don't have to worry about backups or anything.
However, at any time, any user can register a rotation key with the PLC directory. To do this, you generate a new public and private key, and then store that private key wherever you'd like. All the usual caveats here apply. You can then use your existing private key to add this new public key to your account. Once you do that, it shows up in your DID document as a rotation key. You can use that rotation key to add more keys, remove the Bluesky owned keypair, whatever you want. Now it's not stored by Bluesky.
The majority of users have not done this, it's true. But they can. Whenever they'd like.
3Com, raised $1.1M from three venture capitalists in 1981.
Sun, a Kleiner Perkins portfolio company.
UUNET, raised from Accel, Menlo, and NEA in 1993.
Netscape, backed by Kleiner Perkins.
AOL, backed by Kleiner Perkins.
It turns out that commercialization is most of the work of creating a globally decentralized system. Which doesn't mean the non-commercial work wasn't critical.
The poor need the rich to start a company as banks are prevented (by the rich) from lending to them.
The rich like VC as it's a tax write-off, they invest in VCs and get even more richer.
Most startups fail, the VC's investors get any leftovers and poor founder walks off empty.
>What about when things go wrong?
In general, if you lose money on an investment, you can offset that “capital loss” against a capital gain you have from something else.
no. the banks hold the poor's money, and it needs to do so without risk because the poor need their money. lending money to start companies that are completly unsecured is too risky for banks, they lend money to buy houses which is secured debt.
Banks often lend at low LTV ratios because the prices are inflated so people on normal salaries can't actually afford to put down a large deposit, which means a slight drop puts them into negative equity but the banks are not concerned as they are protected.
If the state chose to underwrite startups in the same way...
VC funding is fine in some contexts, but most of the stack should be non profit driven whenever possible to prevent the eventual enshittification and attempts at capture by profit driven actors. You can always donate to the relevant non profit (code, time, fiat), but by operating the public good as a non profit, you're creating a form of security boundary and reducing attack surface by economic threat actors. Worst case, the VC funded enterprise fails open and the only harm is employees who need to find new jobs and shareholders and investors who experience a capital loss.
We want to continue to own the commons and culture collectively when for profit companies building on public social infrastructure ("open social networks and protocols") close or a suboptimal change of ownership occurs.
Non-profits are great and we should have them too. If you look into how these non-profits are funded, it's largely corporate money.
> So let's talk in practice: when you sign up for Bluesky, they store the private key for you. This way, for users that don't care about any of these details, they do not have to think about it at all. It's saved with the rest of your account data, you don't have to worry about backups or anything.
> However, at any time, any user can register a rotation key with the PLC directory. To do this, you generate a new public and private key, and then store that private key wherever you'd like. All the usual caveats here apply. You can then use your existing private key to add this new public key to your account. Once you do that, it shows up in your DID document as a rotation key. You can use that rotation key to add more keys, remove the Bluesky owned keypair, whatever you want. Now it's not stored by Bluesky.
> The majority of users have not done this, it's true. But they can. Whenever they'd like.
The Bluesky PDS stores (and has access to!) your private keys. They are in full control of your identity. It just so happens that 99.99% of users are on the Bluesky PDSs AND 99.99% of users will choose the path of least resistance and in practice NEVER register an external rotation key. This is exactly the problem. It is massively centralized and a rug pull from Bluesky would effectively just kill off the network.
It's insane that this is just hand-waved away because "you can just self-host" or "you can just register an external rotation key". If you think users will actually do this I have a bridge to sell you.
pelagicAustral•1d ago
dotcoma•1d ago
lostlogin•23h ago
It immediately makes me think of sovereign citizens and I get twitchy.
giancarlostoro•22h ago
toomuchtodo•1d ago
https://xkcd.com/705/
dotcoma•1d ago
toomuchtodo•5h ago
caycep•1d ago
busterarm•1d ago
The only exception to this rule I would say is AWS GovCloud, which also might be one of the only chill teams to work at across Amazon. It turns out having "only one way to do it", a system proved through a rigorous vetting process and a thoroughly worked-through contracting process leads to a pretty fantastic work environment for practitioners.
Trying to reimplement that piecemeal is for tougher men than me though. I think I'd rather sit on hot nails.
sph•1d ago
The catch is that being government contract you, the guy doing the actual work, are beneath three or four layers of companies and bureaucracy and you get over engineered yet somehow too vague specs and projects that take 6 months just to get approved. But hey, the pay is good, and it’s for one of the better causes.
My other EU client, a much smaller non-tech company for whom I host their servers, has recently wanted to know if we depend on any US services, to reduce their exposure.
I believe you can get decent work just by advertising yourself as an expert in migrating code and data out of the US.
That said, the job and economy situation is a big question mark and appetite to invest has lessened dramatically so YMMV
Imustaskforhelp•1d ago
Could you elaborate perhaps a bit more on this on actually why the appetite for investment has lessened? I'd be curious to know more, thanks!
sph•1d ago
Fair to say investments and new projects are a bit harder to come by.
alex1138•1d ago
IndySun•1d ago
"To use this system, you must understand that we cannot make any guarantees regarding the security and privacy of data that you may store in a solidcommunity.net Solid pod, or concerning the system's functionality and availability."
thisismissem•1d ago
AT Protocol achieved what Solid envisioned without the inane complexities of rdf and json-ld, which were the biggest learning blockers to people actually adopting Solid.
toomuchtodo•23h ago
Related:
ATProto Permissioned Data Proposal Draft - https://news.ycombinator.com/item?id=48651727 - June 2026 (4 comments)
thrill•23h ago
rsolva•22h ago