Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have used Garage for a long time. It's great, but the AWS sigv4 protocol for accessing it is just frustrating. Why can't I just send my API key as a header? I don't need the full AWS SDK to get and put files, and the AWS sigv4 is a ton of extra complexity to add to my projects. I don't care about the "security benefits" of AWS sigv4. I hope the authors consider a different authentication scheme so I can recommend Garage more readily.


I read that curl recently added sigv4 for what that’s worth[0]

0: https://how.wtf/aws-sigv4-requests-with-curl.html


Of course curl has it


Implementing v4 on the server side also requires the service to keep the token as plain text. If it's a persistent password, rather than an ephemeral key, that opens up another whole host of security issues around password storage. And on the flip side requiring the client to hit an endpoint to receive a session based token is even more crippling from a performance perspective.


You can implement S3 V4 signatures in a few hundred lines of code.

https://github.com/Peergos/Peergos/blob/master/src/peergos/s...


I have done this for my purposes, but it's slow and unnecessary bloat I wish I didn't have to have.


5 hmac-sha256's per signature are slow?


Given that it's completely unnecessary for my purposes, yes. Garage doesn't support anonymous access, either.


It makes sense to tap into the existing ecosystem of AWS S3-compatible clients.


Plain HTTP (as in curl without any extra headers) is already an S3-compatible client.

If this 'Garage' doesn't support the plain HTTP use case then it isn't S3 compatible.


Only if you are not doing auth right? If you need to auth then you need to send a request with headers.


Check something like PicoS3 or https://github.com/sentienhq/ultralight-s3

There is a few "very minimal" sigv4 implementations ...


Sending your api key in the header is equivalent to basic auth.


Yep, and that's fine with me. I don't have a problem with basic auth.


This is not intended for commercial services. Realistically, this software was made for people who keep servers in their basement. The security profile of LAN users is very different than public AWS.


The site says it was made (initially) and used for a commercial French hoster.


They’re a self-described “non-profit experimental hosting group”. It’s used to host their website, chat server data, etc.

It’s great they made it (I use personally!) but that’s more akin to a home-lab than commercial vendor.


You know FOSS software runs most of the internet right? (and, if you'll believe it, AWS internally)

I would find it completely unsurprising to see Garage used in some capacity by a Fortune 500 by the end of the year (not that they'd publicly say it).


Of course I know FOSS software runs most of the internet. But not all FOSS software equally. “Use the right tool for the job” and all that.

Why by the end of the year? Garage has been around for a while. Its lack of enterprise adoption is not due to its youth, but rather that it’s the wrong tool for the job.

There are plenty of FOSS object stores that exist already and are better targeted at enterprise workloads. Garage is amazing, I run it on my home server, but it’s not really “enterprise” software. And it’s not trying to be.

(Also I know plenty of people from AWS and it seems that a few products are FOSS based but plenty are written in house. Running on Linux, of course)


"lack of enterprise adoption" - That you know of! Most organizations don't blog when they start using a software (:

"wrong tool for the job" - What is the right tool? If it checks all the boxes compared to Minio, and outperforms Minio, it is not unlikely to be used. Minio itself was originally FOSS after all, and it is not without its problems. I'm sure there's many devops folk that welcome an alternative.

AWS (+ S3) is cost prohibitive for many workloads, even at Fortune 500 scale. Plenty of opportunity here.


Enterprise adoption isn't the goal of every software project. If people adopt it, great, but I don't think that all maintainers are targeting this. Garage is explicitly not targeting performance, for example, nor is it targeting a rich feature set.

Minio is certainly trying to be the enterprise-ready FOSS front-end for an object store. I can name a few other alternatives, like SeaweedFS, Ceph, Swift that are also trying to provide rich features. I'm not sure who checks all the boxes compared to Minio or others, depends on the boxes I guess.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: