Deriving a minimal from first principles Lassi Kortela 27 Dec 2020 13:15 UTC

So we have three alternative ways to arrange Scheme websites:

- Have everything as subdirectories on the main server.

- Have everything as subdomains *

- Have everything on completely different domains.

Admin-wise, having sub-sites in subdirectories is essentially the same
thing as having them on subdomains, but with several downsides and no
obvious upside.

To compare subdomains vs completely different domains, let's try the
worst-case scenario for vs If we have, and the whole project somehow folds
catastrophically so that can no longer stay under the
umbrella, the logical course of action is to move it onto
This would work, assuming the contents of are backed up
in public git repos. If is lost, old links to
around the web would break. In the very worst case, someone would take
over and replace the old pages at with
malicious pages.

 From that disaster scenario we can directly derive the minimum
infrastructure needed for The internal administration of the
Scheme Documentation site is identical whether it's hosted at or Even in the latter case, a bad actor
taking over the documentation server can still replace its contents with
malicious stuff. The differences between and
are about trust in the DNS records. If there's a domain,
its DNS is presumably run by the same people as its web server, in which
case the threat model between DNS and WWW is identical. In case of, the DNS is run by admins who are different
people from the WWW admins, slightly increasing the
attack surface. DNS is now also a common attack surface for
all subdomains at once. To maximize trust, the job of
top-level is therefore to ensure this attack surface
(people-wise and technology-wise) is no larger than is strictly necessary.

The necessary features are:

- Having one or more human admins who can modify the DNS records.

- Storing the history of DNS records in Git for backups and transparency.

- That's it.

As far as I can tell, the argument to centralize sites under
boils down to having that minimal layer on top, vs not having it and
having everyone go their own way. Does this sound like a reasonable line
of argument?

If so, my personal opinion is that the extra layer adds a lot of
cohesion with minimal technical and social overhead. If we can draft
formal bylaws, we can also minimize the political risk. From my point of
view these controlled risks are well worth taking. Opinions to the
contrary are welcome.