After my previous server got hacked (presumably), I am now looking for new solutions to my needs. CalDAV/CardDAV is a big one.
So far I switched from a content management system (PHP) to a static site generator for my blog, and I’m not looking back.
I wonder if it makes sense to also step away from PHP wrt CalDAV/CardDAV.
As ever so often, this list has some nice info.
I’d like to keep dependencies low. Python would be a good choice because it’s already installed on my Debian Stable system. But would it be safer?
Back when I started this compatibility with clients was an issue; but I don’t use Android anymore. In any case, is this still an issue?
edit: no, I don’t use a web based app; and I’d prefer the server doesn’t require admin via web UI either.
You must log in or register to comment.
Good choice. I’ve been running Radicale for years, reverse proxied behind Caddy, and it’s been solid.
I use radicale. Safe and solid. Zero php.
You need to install a separate app if you want a web based calendar ui, or you can just use dav5x on android or any other caldav client.
Thanks for the tip. Already set it up. I like it - does just what I need and not much more. And the web UI can be disabled.
I’ve been using Nextcloud for almost a decade (started with Owncloud), publicly exposed to the internet with no VPN, and I’ve had no issues with security or with DAV. I do nothing special besides keeping it up to date (And using strong passwords, I guess)
I personally don’t like their kitchen sink approach.
I’ve been using NC for about the same amount of time and I will say I’m no longer as happy with it as I once was, primarily because it’s a mess of PHP, gum and popsicle sticks held together by me going in there every 3 upgrades to fix ‘occ missing indices’, add a sql table or some such error.
The caldav integration did allow me to break free from google some more, and it works well, but I’ve since moved file sync to syncthing and I’m looking for a standalone caldav solution.
My journey⋮ Nextcloud —> syncthing + radicale
Much simpler, easier to maintain, less resources needed
Thank you, I’ll try radicale.
What’s wrong with following the official upgrade procedure? Don’t complain about missing tables or indices then.
The most important thing is that the software does not break and you can maneuver out of every bad situation. This is important for self-hosting.
I don’t care if it’s PHP. Many good things are written in PHP. I find Python and Ruby much worse for web applications. Not because of the language, but because it’s hard to maneuver out of some situations.
That said I didn’t have many problems with Nextcloud. The only thing I criticize is that it solves too many problems at once.
I’m not sure what gave you the impression I don’t follow the official procedure, I do follow the official upgrade procedure, and always have through its many stupid iterations for the last 8 years.
Example error, from last week:
Devs did not test with NC instances created before v21.x, so the SQL db is broken when going through the official upgrade if your nc has the old structure and I had to manually modify the actual db to work.
This kind of shit happens about twice a year. Mind you, this exact literal thing happened from v18.x to 19.x also, you’d think they has learned their lesson.
And php itself is fine. Not the most secure way to build a webapp, but fine. However, upgrading PHP on various platforms is an exercise in pulling your hair out.
Nextcloud is great when it’s working. Most upgrades are fine. But when it poops the bed, it’s another hour I can’t get back. No other self-hosted software in my stack is like that.
So you seriously expect an upgrade from major version 20 or less to major version 31 going well?
It’s like upgrading from Windows 3.1 to Windows 11.
You misread that.
The database was from prior to 21.x, because i installed NC 8 years ago at v14 and have upgraded since then. I’ve been upgrading the same system since late 2016.
Stop picking fights with strangers.
No I didn’t. You should really read the upgrade guide:
You cannot skip major releases.
Security in software is about implementation, not different programming languages. Security as a whole is also not something you can achieve just by installing “secure” software - every software has bugs and vulnerabilities. Some of them are known, others are unknown and not every one of them automatically poses a security risk to you, this depends on the bug, your usage and environment. You can try to harden your system, but you need to do this in layers and the application code is just one of them.
For example, you could geoblock IP addresses so their requests never even reach your application. This does not mean that you’re automatically safe from attackers from e.g. Russia, but you make yourself a less easy target.
There are many other defense mechanisms like request limiting, dynamically blocking malicious requests with something like Fail2Ban, strong authentication, frequent patching, network segregation, virtualization, and so on. I hope you see where I’m going. Security is complex and depends a lot on your personal threat model.
That being said, if you need to know how secure the code of a given software is, you need to find something that has recently been audited or audit it yourself.
