Deriving a minimal Scheme.org from first principles Lassi Kortela 27 Dec 2020 13:15 UTC

So we have three alternative ways to arrange Scheme websites:

- Have everything as subdirectories on the www.scheme.org main server.

- Have everything as subdomains *.scheme.org.

- Have everything on completely different domains.

Admin-wise, having sub-sites in subdirectories is essentially the same
thing as having them on subdomains, but with several downsides and no
obvious upside.

To compare subdomains vs completely different domains, let's try the
worst-case scenario for doc.scheme.org vs schemedoc.org. If we have
doc.scheme.org, and the whole scheme.org project somehow folds
catastrophically so that doc.scheme.org can no longer stay under the
umbrella, the logical course of action is to move it onto schemedoc.org.
This would work, assuming the contents of doc.scheme.org are backed up
in public git repos. If scheme.org is lost, old links to doc.scheme.org
around the web would break. In the very worst case, someone would take
over scheme.org and replace the old pages at doc.scheme.org with
malicious pages.

 From that disaster scenario we can directly derive the minimum
infrastructure needed for scheme.org. The internal administration of the
Scheme Documentation site is identical whether it's hosted at
doc.scheme.org or schemedoc.org. Even in the latter case, a bad actor
taking over the documentation server can still replace its contents with
malicious stuff. The differences between scheme.org and doc.scheme.org
are about trust in the DNS records. If there's a schemedoc.org domain,
its DNS is presumably run by the same people as its web server, in which
case the threat model between DNS and WWW is identical. In case of
doc.scheme.org, the DNS is run by scheme.org admins who are different
people from the doc.scheme.org WWW admins, slightly increasing the
attack surface. Scheme.org DNS is now also a common attack surface for
all scheme.org subdomains at once. To maximize trust, the job of
top-level Scheme.org is therefore to ensure this attack surface
(people-wise and technology-wise) is no larger than is strictly necessary.

The necessary features are:

- Having one or more human admins who can modify the DNS records.

- Storing the history of DNS records in Git for backups and transparency.

- That's it.

As far as I can tell, the argument to centralize sites under Scheme.org
boils down to having that minimal layer on top, vs not having it and
having everyone go their own way. Does this sound like a reasonable line
of argument?

If so, my personal opinion is that the extra layer adds a lot of
cohesion with minimal technical and social overhead. If we can draft
formal bylaws, we can also minimize the political risk. From my point of
view these controlled risks are well worth taking. Opinions to the
contrary are welcome.